Skip to content

Commit

Permalink
Merge pull request #18 from k0nserv/fix-fragment-buffer-zero-length-f…
Browse files Browse the repository at this point in the history 
…ragments

Backport zero length fragment fix from Pion
  • Loading branch information
@rainliu
rainliu committed May 18, 2022
2 parents 0652e53 + e2c8f00 commit a064503
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 0 deletions.
13 changes: 13 additions & 0 deletions crates/dtls/src/fragment_buffer/fragment_buffer_test.rs
View file
Expand Up @@ -105,6 +105,19 @@ fn test_fragment_buffer() -> Result<()> {
],
0,
),
// Ensure zero length fragments don't cause an infinite recursive loop which in turn causes
// a stack overflow.
(
"Zero length fragment",
vec![vec![
0x16, 0xfe, 0xfd, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d, 0x00,
0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
]],
vec![vec![
0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
]],
0,
),
];

for (name, inputs, expects, expected_epoch) in tests {
Expand Down
4 changes: 4 additions & 0 deletions crates/dtls/src/fragment_buffer/mod.rs
View file
Expand Up @@ -138,7 +138,11 @@ fn append_message(target_offset: u32, frags: &[Fragment], raw_message: &mut Vec<
if f.handshake_header.fragment_offset == target_offset {
let fragment_end =
f.handshake_header.fragment_offset + f.handshake_header.fragment_length;

// NB: Order here is imporant, the `f.handshake_header.fragment_length != 0`
// MUST come before the recursive call.
if fragment_end != f.handshake_header.length
&& f.handshake_header.fragment_length != 0
&& !append_message(fragment_end, frags, raw_message)
{
return false;
Expand Down

0 comments on commit a064503

Please sign in to comment.