]> git.ipfire.org Git - thirdparty/openssl.git/commit
projects / thirdparty / openssl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 858d3b6) | patch
Drop empty app data records in DTLS
authorMatt Caswell <matt@openssl.org>
Tue, 29 Apr 2025 13:21:49 +0000 (14:21 +0100)
committerTomas Mraz <tomas@openssl.org>
Wed, 7 May 2025 12:36:44 +0000 (14:36 +0200)
commita6bab1d33aa22c068f89b51ee1bc080f3be07927
treee6605008794b5f9c6f8b1d5f4f1062f024760704tree
parent858d3b677fe2defcd2f3b7801de855bee5c061f7commit | diff
Drop empty app data records in DTLS

App data records with 0 bytes of payload will confuse callers of SSL_read().
This will cause a successful read and return 0 bytes as read. Unfortunately
a 0 return from SSL_read() is considered a failure response. A subsequent
call to SSL_get_error() will then give the wrong result.

Zero length app data records are actually allowed by the spec, but have
never been handled correctly by OpenSSL. We already disallow creating such
empty app data records. Since the SSL_read() API does not have a good way to
handle this type of read, we simply ignore them.

Partial fix for #27316

Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27541)

(cherry picked from commit a23d5e20f162564d8c13bda50ea358caaa7b047c)
ssl/record/methods/dtls_meth.c diff | blob | blame | history
Mirror of https://github.com/openssl/openssl.git