[prev in list] [next in list] [prev in thread] [next in thread]
List: openssl-dev
Subject: [openssl.org #1930] [PATCH] DTLS record buffer limitation bug
From: "Robin Seggelmann via RT" <rt () openssl ! org>
Date: 2009-05-16 11:31:08
Message-ID: rt-3.4.5-19636-1242473468-1681.1930-21-0 () openssl ! org
[Download RAW message or body]
Records are buffered if they arrive with a future epoch to be
processed after finishing the corresponding handshake. There is
currently no limitation to this buffer allowing an attacker to perform
a DOS attack with sending records with future epochs until there is no
memory left. This patch adds the pqueue_size() function to detemine
the size of a buffer and limits the record buffer to 100 entries.
Thanks to Daniel Mentz for finding this bug!
--- crypto/pqueue/pqueue.c 2005-12-20 08:03:10.000000000 +0100
+++ crypto/pqueue/pqueue.c 2009-05-15 16:07:33.000000000 +0200
@@ -237,3 +237,17 @@
return ret;
}
+
+int
+pqueue_size(pqueue_s *pq)
+{
+ pitem *item = pq->items;
+ int count = 0;
+
+ while(item != NULL)
+ {
+ count++;
+ item = item->next;
+ }
+ return count;
+}
--- crypto/pqueue/pqueue.h 2005-06-08 00:21:14.000000000 +0200
+++ crypto/pqueue/pqueue.h 2009-05-15 16:07:03.000000000 +0200
@@ -89,5 +89,6 @@
pitem *pqueue_next(piterator *iter);
void pqueue_print(pqueue pq);
+int pqueue_size(pqueue pq);
#endif /* ! HEADER_PQUEUE_H */
--- ssl/d1_pkt.c 2009-04-23 18:32:40.000000000 +0200
+++ ssl/d1_pkt.c 2009-05-15 16:06:23.000000000 +0200
@@ -207,6 +207,10 @@
DTLS1_RECORD_DATA *rdata;
pitem *item;
+ /* Limit the size of the queue to prevent DOS attacks */
+ if (pqueue_size(queue->q) >= 100)
+ return 0;
+
rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
item = pitem_new(priority, rdata);
if (rdata == NULL || item == NULL)
["dtls-record-buffer-bug-1.0.0.patch" (application/octet-stream)]
--- crypto/pqueue/pqueue.c 2005-12-20 08:03:10.000000000 +0100
+++ crypto/pqueue/pqueue.c 2009-05-15 16:07:33.000000000 +0200
@@ -237,3 +237,17 @@
return ret;
}
+
+int
+pqueue_size(pqueue_s *pq)
+{
+ pitem *item = pq->items;
+ int count = 0;
+
+ while(item != NULL)
+ {
+ count++;
+ item = item->next;
+ }
+ return count;
+}
--- crypto/pqueue/pqueue.h 2005-06-08 00:21:14.000000000 +0200
+++ crypto/pqueue/pqueue.h 2009-05-15 16:07:03.000000000 +0200
@@ -89,5 +89,6 @@
pitem *pqueue_next(piterator *iter);
void pqueue_print(pqueue pq);
+int pqueue_size(pqueue pq);
#endif /* ! HEADER_PQUEUE_H */
--- ssl/d1_pkt.c 2009-04-23 18:32:40.000000000 +0200
+++ ssl/d1_pkt.c 2009-05-15 16:06:23.000000000 +0200
@@ -207,6 +207,10 @@
DTLS1_RECORD_DATA *rdata;
pitem *item;
+ /* Limit the size of the queue to prevent DOS attacks */
+ if (pqueue_size(queue->q) >= 100)
+ return 0;
+
rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
item = pitem_new(priority, rdata);
if (rdata == NULL || item == NULL)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic