buffers: match DTLS datagrams by sequence number

DTLS handshake fragment reassembly previously matched incoming fragments
by handshake type only, without checking the sequence number.
This allowed fragments from different handshake messages
to be merged into the same reassembly buffer.

Now sequence number is accounted for during reassembly,
ensuring fragments are only merged when they belong
to the same handshake message.

Reported-by: Zou Dikai
Fixes: #1839
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

diff --git a/lib/buffers.c b/lib/buffers.c
index 5d4d1627686b072a139e8aa4fe98af017e06865b..62f140ed3c1456cd050ed3be5ee24138d58a813d 100644 (file)
--- a/lib/buffers.c
+++ b/lib/buffers.c
@@ -971,7 +971,8 @@ static int merge_handshake_packet(gnutls_session_t session,
                session->internals.handshake_recv_buffer;
 
        for (i = 0; i < session->internals.handshake_recv_buffer_size; i++) {
-               if (recv_buf[i].htype == hsk->htype) {
+               if (recv_buf[i].htype == hsk->htype &&
+                   recv_buf[i].sequence == hsk->sequence) {
                        exists = 1;
                        pos = i;
                        break;