commit 7e7af0bc516fffbb28b0eb659bfd896a2c051073
author Lutz Jänicke <jaenicke@openssl.org> Fri Oct 10 10:41:35 2008 +0000
committer Lutz Jänicke <jaenicke@openssl.org> Fri Oct 10 10:41:35 2008 +0000
tree 8f366ee45cb4027f64d0df5c20654318c7c58a36
parent 87d3a0cd9006f67fed0d3335d8b1c5ab94a26f8f

When the underlying BIO_write() fails to send a datagram, we leave the
offending record queued as 'pending'. The DTLS code doesn't expect this,
and we end up hitting an OPENSSL_assert() in do_dtls1_write().

The simple fix is just _not_ to leave it queued. In DTLS, dropping
packets is perfectly acceptable -- and even preferable. If we wanted a
service with retries and guaranteed delivery, we'd be using TCP.
PR: #1703
Submitted by: David Woodhouse <dwmw2@infradead.org>

ssl/s3_pkt.c

diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 7593ad9..1d6760e 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -828,8 +828,16 @@
 			s->rwstate=SSL_NOTHING;
 			return(s->s3->wpend_ret);
 			}
-		else if (i <= 0)
+		else if (i <= 0) {
+			if (s->version == DTLS1_VERSION ||
+			    s->version == DTLS1_BAD_VER) {
+				/* For DTLS, just drop it. That's kind of the wh
+ole
+				   point in using a datagram service */
+				wb->left = 0;
+			}
 			return(i);
+		}
 		wb->offset+=i;
 		wb->left-=i;
 		}