Fix CVE-2014-0221 Unnecessary recursion when receiving a DTLS hello request can be used to crash a DTLS client. Fixed by handling DTLS hello request without recursion. Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. (Imported from upstream's 8942b92c7cb5fa144bd79b7607b459d0b777164c)

commit: 895780572b7895784ed7088248ecb2ed5dd0c97a [log] [tgz]
author: Adam Langley <agl@chromium.org> Fri Jun 20 12:00:00 2014 -0700
committer: Adam Langley <agl@chromium.org> Fri Jun 20 13:17:41 2014 -0700
tree: db55066e75ae532e638524a8c99968d0d40600d7
parent: d06eddd15cc94023a9a3fedf7b1c28aabf159e4d [diff]
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index fc7fa9f..597d49b 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c

@@ -792,6 +792,7 @@
 	int i,al;
 	struct hm_header_st msg_hdr;
 
+	redo:
 	/* see if we have the required fragment already */
 	if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok)
 		{
@@ -850,8 +851,7 @@
 					s->msg_callback_arg);
 			
 			s->init_num = 0;
-			return dtls1_get_message_fragment(s, stn,
-				max, ok);
+			goto redo;
 			}
 		else /* Incorrectly formated Hello request */
 			{
commit	895780572b7895784ed7088248ecb2ed5dd0c97a	[log] [tgz]
author	Adam Langley <agl@chromium.org>	Fri Jun 20 12:00:00 2014 -0700
committer	Adam Langley <agl@chromium.org>	Fri Jun 20 13:17:41 2014 -0700
tree	db55066e75ae532e638524a8c99968d0d40600d7
parent	d06eddd15cc94023a9a3fedf7b1c28aabf159e4d [diff]