This patch changes the behavior of DTLS regarding erroneous record
headers. The current implementation reports an error if the version or
length entries of the record layer are unexpected and closes the
connection. This is probably takes over from TLS but doesn't make
sense with DTLS, since an attacker can easily send random data to
close the connection. In fact every packet not containing the correct
version and length terminates the connection. With this patch such
packets are just silently discarded to keep the connection alive.
--- ssl/d1_pkt.c 1 Jul 2009 11:29:01 -0000 1.27.2.10
+++ ssl/d1_pkt.c 3 Jul 2009 13:43:18 -0000
@@ -586,26 +594,27 @@
{
if (version != s->version)
{
- SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
- /* Send back error using their
- * version number :-) */
- s->version=version;
- al=SSL_AD_PROTOCOL_VERSION;
- goto f_err;
+ /* unexpected version, silently discard */
+ rr->length = 0;
+ s->packet_length = 0;
+ goto again;
}
}
if ((version & 0xff00) != (s->version & 0xff00))
{
- SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
- goto err;
+ /* wrong version, silently discard record */
+ rr->length = 0;
+ s->packet_length = 0;
+ goto again;
}
if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH)
{
- al=SSL_AD_RECORD_OVERFLOW;
- SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
- goto f_err;
+ /* record too long, silently discard it */
+ rr->length = 0;
+ s->packet_length = 0;
+ goto again;
}
/* now s->rstate == SSL_ST_READ_BODY */
dtls-record.patch (1K) 