[8.09] openssl: fix 4 DoS vulnerabilities in DTLS
authorNicolas Thill <nico@openwrt.org>
Mon, 24 Aug 2009 10:19:44 +0000 (10:19 +0000)
committerNicolas Thill <nico@openwrt.org>
Mon, 24 Aug 2009 10:19:44 +0000 (10:19 +0000)
 - CVE-2009-1377
 - CVE-2009-1378
 - CVE-2009-1379
 - CVE-2009-1387

SVN-Revision: 17361

package/openssl/Makefile
package/openssl/patches/402-cve-2009-1377.patch [new file with mode: 0644]
package/openssl/patches/403-cve-2009-1378.patch [new file with mode: 0644]
package/openssl/patches/404-cve-2009-1379.patch [new file with mode: 0644]
package/openssl/patches/405-cve-2009-1387.patch [new file with mode: 0644]

index f72b99b..14aa5b3 100644 (file)
@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssl
 PKG_VERSION:=0.9.8i
-PKG_RELEASE:=3.1
+PKG_RELEASE:=3.2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://www.openssl.org/source/ \
diff --git a/package/openssl/patches/402-cve-2009-1377.patch b/package/openssl/patches/402-cve-2009-1377.patch
new file mode 100644 (file)
index 0000000..b81c824
--- /dev/null
@@ -0,0 +1,44 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1377
+
+--- a/ssl/d1_pkt.c
++++ b/ssl/d1_pkt.c
+@@ -167,6 +167,10 @@ dtls1_buffer_record(SSL *s, record_pqueu
+     DTLS1_RECORD_DATA *rdata;
+       pitem *item;
++      /* Limit the size of the queue to prevent DOS attacks */
++      if (pqueue_size(queue->q) >= 100)
++              return 0;
++              
+       rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
+       item = pitem_new(priority, rdata);
+       if (rdata == NULL || item == NULL)
+--- a/crypto/pqueue/pqueue.c
++++ b/crypto/pqueue/pqueue.c
+@@ -234,3 +234,17 @@ pqueue_next(pitem **item)
+       return ret;
+       }
++
++int
++pqueue_size(pqueue_s *pq)
++{
++      pitem *item = pq->items;
++      int count = 0;
++      
++      while(item != NULL)
++      {
++              count++;
++              item = item->next;
++      }
++      return count;
++}
+--- a/crypto/pqueue/pqueue.h
++++ b/crypto/pqueue/pqueue.h
+@@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq);
+ pitem *pqueue_next(piterator *iter);
+ void   pqueue_print(pqueue pq);
++int    pqueue_size(pqueue pq);
+ #endif /* ! HEADER_PQUEUE_H */
diff --git a/package/openssl/patches/403-cve-2009-1378.patch b/package/openssl/patches/403-cve-2009-1378.patch
new file mode 100644 (file)
index 0000000..ce5ac43
--- /dev/null
@@ -0,0 +1,22 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1378
+
+--- a/ssl/d1_both.c
++++ b/ssl/d1_both.c
+@@ -561,7 +561,16 @@ dtls1_process_out_of_seq_message(SSL *s,
+       if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
+               goto err;
+-      if (msg_hdr->seq <= s->d1->handshake_read_seq)
++      /* Try to find item in queue, to prevent duplicate entries */
++      pq_64bit_init(&seq64);
++      pq_64bit_assign_word(&seq64, msg_hdr->seq);
++      item = pqueue_find(s->d1->buffered_messages, seq64);
++      pq_64bit_free(&seq64);
++      
++      /* Discard the message if sequence number was already there, is
++       * too far in the future or the fragment is already in the queue */
++      if (msg_hdr->seq <= s->d1->handshake_read_seq ||
++              msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
+               {
+               unsigned char devnull [256];
diff --git a/package/openssl/patches/404-cve-2009-1379.patch b/package/openssl/patches/404-cve-2009-1379.patch
new file mode 100644 (file)
index 0000000..b234d5d
--- /dev/null
@@ -0,0 +1,20 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1379
+
+--- a/ssl/d1_both.c
++++ b/ssl/d1_both.c
+@@ -530,13 +530,14 @@ dtls1_retrieve_buffered_fragment(SSL *s,
+                               frag->fragment,frag->msg_header.frag_len);
+                       }
++              unsigned long frag_len = frag->msg_header.frag_len;
+               dtls1_hm_fragment_free(frag);
+               pitem_free(item);
+               if (al==0)
+                       {
+                       *ok = 1;
+-                      return frag->msg_header.frag_len;
++                      return frag_len;
+                       }
+               ssl3_send_alert(s,SSL3_AL_FATAL,al);
diff --git a/package/openssl/patches/405-cve-2009-1387.patch b/package/openssl/patches/405-cve-2009-1387.patch
new file mode 100644 (file)
index 0000000..b2e3de1
--- /dev/null
@@ -0,0 +1,51 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1387
+
+--- a/ssl/d1_both.c
++++ b/ssl/d1_both.c
+@@ -585,30 +585,31 @@ dtls1_process_out_of_seq_message(SSL *s,
+                       }
+               }
+-      frag = dtls1_hm_fragment_new(frag_len);
+-      if ( frag == NULL)
+-              goto err;
++      if (frag_len)
++      {
++              frag = dtls1_hm_fragment_new(frag_len);
++              if ( frag == NULL)
++                      goto err;
+-      memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
++              memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
+-      if (frag_len)
+-              {
+-              /* read the body of the fragment (header has already been read */
++              /* read the body of the fragment (header has already been read) */
+               i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
+                       frag->fragment,frag_len,0);
+               if (i<=0 || (unsigned long)i!=frag_len)
+                       goto err;
+-              }
+-      pq_64bit_init(&seq64);
+-      pq_64bit_assign_word(&seq64, msg_hdr->seq);
++              pq_64bit_init(&seq64);
++              pq_64bit_assign_word(&seq64, msg_hdr->seq);
+-      item = pitem_new(seq64, frag);
+-      pq_64bit_free(&seq64);
+-      if ( item == NULL)
+-              goto err;
++              item = pitem_new(seq64, frag);
++              pq_64bit_free(&seq64);
++              if ( item == NULL)
++                      goto err;
++
++              pqueue_insert(s->d1->buffered_messages, item);
++      }
+-      pqueue_insert(s->d1->buffered_messages, item);
+       return DTLS1_HM_FRAGMENT_RETRY;
+ err: