The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment.

diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 1bb2e4d..7de9ae4 100644 (file)
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -627,7 +627,16 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
                frag->msg_header.frag_off = 0;
                }
        else
+               {
                frag = (hm_fragment*) item->data;
+               if (frag->msg_header.msg_len != msg_hdr->msg_len)
+                       {
+                       item = NULL;
+                       frag = NULL;
+                       goto err;
+                       }
+               }
+
 
        /* If message is already reassembled, this must be a
         * retransmit and can be dropped.