This simple fix to the 0.9.8 branch addresses RT #1703, where a DTLS bug
causes applications to abort. It was causing my VPN client to abort
during temporary network problems which it should have coped with and
recovered from.

When the underlying BIO_write() fails to send a datagram, we leave the
offending record queued as 'pending'. The DTLS code doesn't expect this,
and we end up hitting an OPENSSL_assert() in do_dtls1_write().

The simple fix is just _not_ to leave it queued. In DTLS, dropping
packets is perfectly acceptable -- and even preferable. If we wanted a
service with retries and guaranteed delivery, we'd be using TCP.

--- ssl/s3_pkt.c~ 2006-11-29 14:45:14.000000000 +0000
+++ ssl/s3_pkt.c 2008-10-02 06:41:07.000000000 +0100
@@ -753,8 +753,15 @@ int ssl3_write_pending(SSL *s, int type,
s->rwstate=SSL_NOTHING;
return(s->s3->wpend_ret);
}
- else if (i <= 0)
+ else if (i <= 0) {
+ if (s->version == DTLS1_VERSION ||
+ s->version == DTLS1_BAD_VER) {
+ /* For DTLS, just drop it. That's kind of the whole
+ point in using a datagram service */
+ s->s3->wbuf.left = 0;
+ }
return(i);
+ }
s->s3->wbuf.offset+=i;
s->s3->wbuf.left-=i;
}


--
dwmw2

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org