]> git.ipfire.org Git - thirdparty/openssl.git/commit
projects / thirdparty / openssl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 3094c0f) | patch
Drop empty app data records in DTLS
authorMatt Caswell <matt@openssl.org>
Tue, 29 Apr 2025 13:21:49 +0000 (14:21 +0100)
committerTomas Mraz <tomas@openssl.org>
Wed, 7 May 2025 12:36:59 +0000 (14:36 +0200)
commit1c42b0270d755aa020ed252a60f18383f1a3a3a3
treeb2799962eb689f28bee4853b691b162634ae26c1tree
parent3094c0f5e331e5e705312548fbab48fa938cbb5ecommit | diff
Drop empty app data records in DTLS

App data records with 0 bytes of payload will confuse callers of SSL_read().
This will cause a successful read and return 0 bytes as read. Unfortunately
a 0 return from SSL_read() is considered a failure response. A subsequent
call to SSL_get_error() will then give the wrong result.

Zero length app data records are actually allowed by the spec, but have
never been handled correctly by OpenSSL. We already disallow creating such
empty app data records. Since the SSL_read() API does not have a good way to
handle this type of read, we simply ignore them.

Partial fix for #27316

Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27541)

(cherry picked from commit a23d5e20f162564d8c13bda50ea358caaa7b047c)
ssl/record/methods/dtls_meth.c diff | blob | blame | history
Mirror of https://github.com/openssl/openssl.git