package/openssl/patches/900-CVE-2009-1377.patch

   1 http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest
   2
   3 --- a/crypto/pqueue/pqueue.c
   4 +++ b/crypto/pqueue/pqueue.c
   5 @@ -234,3 +234,17 @@ pqueue_next(pitem **item)
   6
   7         return ret;
   8         }
   9 +
  10 +int
  11 +pqueue_size(pqueue_s *pq)
  12 +{
  13 +       pitem *item = pq->items;
  14 +       int count = 0;
  15 +
  16 +       while(item != NULL)
  17 +       {
  18 +               count++;
  19 +               item = item->next;
  20 +       }
  21 +       return count;
  22 +}
  23 --- a/crypto/pqueue/pqueue.h
  24 +++ b/crypto/pqueue/pqueue.h
  25 @@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq);
  26  pitem *pqueue_next(piterator *iter);
  27
  28  void   pqueue_print(pqueue pq);
  29 +int    pqueue_size(pqueue pq);
  30
  31  #endif /* ! HEADER_PQUEUE_H */
  32 --- a/ssl/d1_pkt.c
  33 +++ b/ssl/d1_pkt.c
  34 @@ -167,6 +167,10 @@ dtls1_buffer_record(SSL *s, record_pqueu
  35      DTLS1_RECORD_DATA *rdata;
  36         pitem *item;
  37
  38 +       /* Limit the size of the queue to prevent DOS attacks */
  39 +       if (pqueue_size(queue->q) >= 100)
  40 +               return 0;
  41 +
  42         rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
  43         item = pitem_new(priority, rdata);
  44         if (rdata == NULL || item == NULL)