From: Nicolas Thill <nico@openwrt.org>
Date: Mon, 24 Aug 2009 10:19:44 +0000 (+0000)
Subject: [8.09] openssl: fix 4 DoS vulnerabilities in DTLS
X-Git-Url: http://git.openwrt.org/?p=openwrt%2Fsvn-archive%2Farchive.git;a=commitdiff_plain;hb=524f8dd8d0900ef3bf54d87a625fbd8deee8d956

[8.09] openssl: fix 4 DoS vulnerabilities in DTLS
 - CVE-2009-1377
 - CVE-2009-1378
 - CVE-2009-1379
 - CVE-2009-1387


SVN-Revision: 17361
---

diff --git a/package/openssl/Makefile b/package/openssl/Makefile
index f72b99bc92..14aa5b3f3e 100644
--- a/package/openssl/Makefile
+++ b/package/openssl/Makefile
@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssl
 PKG_VERSION:=0.9.8i
-PKG_RELEASE:=3.1
+PKG_RELEASE:=3.2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://www.openssl.org/source/ \
diff --git a/package/openssl/patches/402-cve-2009-1377.patch b/package/openssl/patches/402-cve-2009-1377.patch
new file mode 100644
index 0000000000..b81c824035
--- /dev/null
+++ b/package/openssl/patches/402-cve-2009-1377.patch
@@ -0,0 +1,44 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1377
+
+--- a/ssl/d1_pkt.c
++++ b/ssl/d1_pkt.c
+@@ -167,6 +167,10 @@ dtls1_buffer_record(SSL *s, record_pqueu
+     DTLS1_RECORD_DATA *rdata;
+ 	pitem *item;
+ 
++	/* Limit the size of the queue to prevent DOS attacks */
++	if (pqueue_size(queue->q) >= 100)
++		return 0;
++		
+ 	rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
+ 	item = pitem_new(priority, rdata);
+ 	if (rdata == NULL || item == NULL)
+--- a/crypto/pqueue/pqueue.c
++++ b/crypto/pqueue/pqueue.c
+@@ -234,3 +234,17 @@ pqueue_next(pitem **item)
+ 
+ 	return ret;
+ 	}
++
++int
++pqueue_size(pqueue_s *pq)
++{
++	pitem *item = pq->items;
++	int count = 0;
++	
++	while(item != NULL)
++	{
++		count++;
++		item = item->next;
++	}
++	return count;
++}
+--- a/crypto/pqueue/pqueue.h
++++ b/crypto/pqueue/pqueue.h
+@@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq);
+ pitem *pqueue_next(piterator *iter);
+ 
+ void   pqueue_print(pqueue pq);
++int    pqueue_size(pqueue pq);
+ 
+ #endif /* ! HEADER_PQUEUE_H */
diff --git a/package/openssl/patches/403-cve-2009-1378.patch b/package/openssl/patches/403-cve-2009-1378.patch
new file mode 100644
index 0000000000..ce5ac43dbe
--- /dev/null
+++ b/package/openssl/patches/403-cve-2009-1378.patch
@@ -0,0 +1,22 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1378
+
+--- a/ssl/d1_both.c
++++ b/ssl/d1_both.c
+@@ -561,7 +561,16 @@ dtls1_process_out_of_seq_message(SSL *s,
+ 	if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
+ 		goto err;
+ 
+-	if (msg_hdr->seq <= s->d1->handshake_read_seq)
++	/* Try to find item in queue, to prevent duplicate entries */
++	pq_64bit_init(&seq64);
++	pq_64bit_assign_word(&seq64, msg_hdr->seq);
++	item = pqueue_find(s->d1->buffered_messages, seq64);
++	pq_64bit_free(&seq64);
++	
++	/* Discard the message if sequence number was already there, is
++	 * too far in the future or the fragment is already in the queue */
++	if (msg_hdr->seq <= s->d1->handshake_read_seq ||
++		msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
+ 		{
+ 		unsigned char devnull [256];
+ 
diff --git a/package/openssl/patches/404-cve-2009-1379.patch b/package/openssl/patches/404-cve-2009-1379.patch
new file mode 100644
index 0000000000..b234d5d417
--- /dev/null
+++ b/package/openssl/patches/404-cve-2009-1379.patch
@@ -0,0 +1,20 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1379
+
+--- a/ssl/d1_both.c
++++ b/ssl/d1_both.c
+@@ -530,13 +530,14 @@ dtls1_retrieve_buffered_fragment(SSL *s,
+ 				frag->fragment,frag->msg_header.frag_len);
+ 			}
+ 
++		unsigned long frag_len = frag->msg_header.frag_len;
+ 		dtls1_hm_fragment_free(frag);
+ 		pitem_free(item);
+ 
+ 		if (al==0)
+ 			{
+ 			*ok = 1;
+-			return frag->msg_header.frag_len;
++			return frag_len;
+ 			}
+ 
+ 		ssl3_send_alert(s,SSL3_AL_FATAL,al);
diff --git a/package/openssl/patches/405-cve-2009-1387.patch b/package/openssl/patches/405-cve-2009-1387.patch
new file mode 100644
index 0000000000..b2e3de1a19
--- /dev/null
+++ b/package/openssl/patches/405-cve-2009-1387.patch
@@ -0,0 +1,51 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1387
+
+--- a/ssl/d1_both.c
++++ b/ssl/d1_both.c
+@@ -585,30 +585,31 @@ dtls1_process_out_of_seq_message(SSL *s,
+ 			}
+ 		}
+ 
+-	frag = dtls1_hm_fragment_new(frag_len);
+-	if ( frag == NULL)
+-		goto err;
++	if (frag_len)
++	{
++		frag = dtls1_hm_fragment_new(frag_len);
++		if ( frag == NULL)
++			goto err;
+ 
+-	memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
++		memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
+ 
+-	if (frag_len)
+-		{
+-		/* read the body of the fragment (header has already been read */
++		/* read the body of the fragment (header has already been read) */
+ 		i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
+ 			frag->fragment,frag_len,0);
+ 		if (i<=0 || (unsigned long)i!=frag_len)
+ 			goto err;
+-		}
+ 
+-	pq_64bit_init(&seq64);
+-	pq_64bit_assign_word(&seq64, msg_hdr->seq);
++		pq_64bit_init(&seq64);
++		pq_64bit_assign_word(&seq64, msg_hdr->seq);
+ 
+-	item = pitem_new(seq64, frag);
+-	pq_64bit_free(&seq64);
+-	if ( item == NULL)
+-		goto err;
++		item = pitem_new(seq64, frag);
++		pq_64bit_free(&seq64);
++		if ( item == NULL)
++			goto err;
++
++		pqueue_insert(s->d1->buffered_messages, item);
++	}
+ 
+-	pqueue_insert(s->d1->buffered_messages, item);
+ 	return DTLS1_HM_FRAGMENT_RETRY;
+ 
+ err: