Revision fc15c440498f815e384f496c5913fe1db9f69a28 authored by Adam Langley on 06 June 2014, 21:44:20 UTC, committed by Matt Caswell on 06 August 2014, 21:02:00 UTC
Previously, a truncated DTLS fragment in |dtls1_process_out_of_seq_message| would cause *ok to be cleared, but the return value would still be the number of bytes read. This would cause |dtls1_get_message| not to consider it an error and it would continue processing as normal until the calling function noticed that *ok was zero. I can't see an exploit here because |dtls1_get_message| uses |s->init_num| as the length, which will always be zero from what I can see. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org>
1 parent 445598b
Computing file changes ...
