kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
44e2709cd6
boringssl/ssl
History
Adam Langley 44e2709cd6 Fix DTLS memory leak. 
A memory leak can occur in dtls1_buffer_record if either of the calls to
ssl3_setup_buffers or pqueue_insert fail. The former will fail if there
is a malloc failure, whilst the latter will fail if attempting to add a
duplicate record to the queue. This should never happen because
duplicate records should be detected and dropped before any attempt to
add them to the queue. Unfortunately records that arrive that are for
the next epoch are not being recorded correctly, and therefore replays
are not being detected. Additionally, these "should not happen" failures
that can occur in dtls1_buffer_record are not being treated as fatal and
therefore an attacker could exploit this by sending repeated replay
records for the next epoch, eventually causing a DoS through memory
exhaustion.

Thanks to Chris Mueller for reporting this issue and providing initial
analysis and a patch. Further analysis and the final patch was performed
by Matt Caswell from the OpenSSL development team.

CVE-2015-0206

(Imported from upstream's 7c6a3cf2375f5881ef3f3a58ac0fbd0b4663abd1).

Change-Id: I765fe61c75bc295bcc4ab356b8a5ce88c8964764
Reviewed-on: https://boringssl-review.googlesource.com/2782
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-01-09 19:41:47 +00:00
..
pqueue Test insertion of duplicates in pqueue_test. 2014-11-06 01:46:57 +00:00
test Treat handshake_failure in response to ClientHello special. 2015-01-06 18:31:49 +00:00
CMakeLists.txt Merge SSLv23_method and DTLS_ANY_VERSION. 2014-12-13 15:22:21 -08:00
d1_both.c Add outgoing messages to the handshake hash at set_handshake_header. 2014-12-16 01:43:51 +00:00
d1_clnt.c Reformatting of several DTLS source files. 2014-12-13 16:28:18 -08:00
d1_lib.c Add outgoing messages to the handshake hash at set_handshake_header. 2014-12-16 01:43:51 +00:00
d1_meth.c Reformatting of several DTLS source files. 2014-12-13 16:28:18 -08:00
d1_pkt.c Fix DTLS memory leak. 2015-01-09 19:41:47 +00:00
d1_srtp.c Reformat d1_{srtp|srvr}.c and s3_both.c 2014-12-15 18:42:07 -08:00
d1_srvr.c Reformat d1_{srtp|srvr}.c and s3_both.c 2014-12-15 18:42:07 -08:00
s3_both.c Touch up ssl3_get_message. 2014-12-17 00:16:23 +00:00
s3_cbc.c Reformatting of s3_{cbc|clnt}.c 2014-12-17 19:06:57 -08:00
s3_clnt.c Treat handshake_failure in response to ClientHello special. 2015-01-06 18:31:49 +00:00
s3_enc.c Reformat s3_{enc|lib}.c. 2014-12-18 12:09:22 -08:00
s3_lib.c Reformat s3_{enc|lib}.c. 2014-12-18 12:09:22 -08:00
s3_meth.c Merge SSLv23_method and DTLS_ANY_VERSION. 2014-12-13 15:22:21 -08:00
s3_pkt.c Reformat the rest of ssl/. 2014-12-18 17:43:03 -08:00
s3_srvr.c Reformat the rest of ssl/. 2014-12-18 17:43:03 -08:00
ssl_algs.c Reformat the rest of ssl/. 2014-12-18 17:43:03 -08:00
ssl_asn1.c Remove psk_identity_hint from SSL_SESSION. 2014-11-10 23:59:47 +00:00
ssl_cert.c Reformat the rest of ssl/. 2014-12-18 17:43:03 -08:00
ssl_ciph.c Cast ca_list to (void *) to silence msvc warning 4090 2015-01-06 01:14:03 +00:00
ssl_error.c Treat handshake_failure in response to ClientHello special. 2015-01-06 18:31:49 +00:00
ssl_lib.c Reformat the rest of ssl/. 2014-12-18 17:43:03 -08:00
ssl_locl.h Reformat the rest of ssl/. 2014-12-18 17:43:03 -08:00
ssl_rsa.c Reformat the rest of ssl/. 2014-12-18 17:43:03 -08:00
ssl_sess.c Reformat the rest of ssl/. 2014-12-18 17:43:03 -08:00
ssl_stat.c Reformat the rest of ssl/. 2014-12-18 17:43:03 -08:00
ssl_test.c Merge SSLv23_method and DTLS_ANY_VERSION. 2014-12-13 15:22:21 -08:00
ssl_txt.c Reformat the rest of ssl/. 2014-12-18 17:43:03 -08:00
t1_enc.c Reformat the rest of ssl/. 2014-12-18 17:43:03 -08:00
t1_lib.c Reformat the rest of ssl/. 2014-12-18 17:43:03 -08:00
t1_reneg.c Reformat the rest of ssl/. 2014-12-18 17:43:03 -08:00