From cbcb11f5cd46024ff0f1136572d978dc4f50144a Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Thu, 24 Jul 2014 23:54:28 +0100
Subject: [PATCH 06/16] Applying same fix as in
 dtls1_process_out_of_seq_message. A truncated DTLS fragment would cause *ok
 to be clear, but the return value would still be the number of bytes read.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Problem identified by Emilia Käsper, based on previous issue/patch by Adam
Langley.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
---
 ssl/d1_both.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index ac0fcaa..ea8f340 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -663,7 +663,9 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
 	/* read the body of the fragment (header has already been read */
 	i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
 		frag->fragment + msg_hdr->frag_off,frag_len,0);
-	if (i<=0 || (unsigned long)i!=frag_len)
+	if ((unsigned long)i!=frag_len)
+		i=-1;
+	if (i<=0)
 		goto err;
 
 	RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off,
-- 
2.0.1