diff options
author | Matt Caswell <matt@openssl.org> | 2018-05-11 10:28:47 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-05-12 09:59:02 +0100 |
commit | a925e7dbf4c3bb01365c961df86da3ebfa1a6c27 (patch) | |
tree | 2d356ec27903a90d25fabfb735c20433408c64c0 /ssl | |
parent | c82c3462267afdbbaa53e11da0508ce4e03c02b3 (diff) |
Don't memcpy the contents of an empty fragment
In DTLS if we have buffered a fragment for a zero length message (e.g.
ServerHelloDone) then, when we unbuffered the fragment, we were attempting
to memcpy the contents of the fragment which is zero length and a NULL
pointer. This is undefined behaviour. We should check first whether we
have a zero length fragment.
Fixes a travis issue.
[extended tests]
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6223)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/statem/statem_dtls.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c index 75ff525c32..b016fa7cff 100644 --- a/ssl/statem/statem_dtls.c +++ b/ssl/statem/statem_dtls.c @@ -504,7 +504,7 @@ static int dtls1_retrieve_buffered_fragment(SSL *s, size_t *len) /* Calls SSLfatal() as required */ ret = dtls1_preprocess_fragment(s, &frag->msg_header); - if (ret) { + if (ret && frag->msg_header.frag_len > 0) { unsigned char *p = (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH; memcpy(&p[frag->msg_header.frag_off], frag->fragment, |