TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 207990dcf5a0095d7f431f3652c447961c954442^! / .
commit207990dcf5a0095d7f431f3652c447961c954442[log] [tgz]
authorSimon Butcher <simon.butcher@arm.com>Wed Dec 16 01:51:30 2015 +0000
committerSimon Butcher <simon.butcher@arm.com>Wed Dec 16 01:51:30 2015 +0000
tree4ee207adecdd28e886ccb6b931d9b10edd7ded48
parente2e25e7427231c9f5a2cf45c6dd8fd20eac2ee3c [diff]
Added description of change to the Changelog

Also clarified some comments following review.

diff --git a/ChangeLog b/ChangeLog
index 8a736f9..bb50581 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -1,5 +1,15 @@
 mbed TLS ChangeLog (Sorted per branch, date)
 
+= mbed TLS 2.2.1 released 2015-12-xx
+
+Changes
+   * To avoid dropping an entire DTLS datagram if a single record in a datagram
+     is invalid, we now only drop the record and look at subsequent records (if
+     any are presemt) in the same datagram to avoid interoperability issues.
+     Previously the library was dropping the entire datagram. Where a record is
+     unexpected, the function mbedtls_ssl_read_record() will now return
+     MBEDTLS_ERR_SSL_UNEXPECTED_RECORD.
+
 = mbed TLS 2.2.0 released 2015-11-04
 
 Security

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 186eb4b..aa473e9 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c

@@ -3467,16 +3467,16 @@
  * uint16 length;
  *
  * Return 0 if header looks sane (and, for DTLS, the record is expected)
- * MBEDTLS_ERR_SSL_INVALID_RECORD is the header looks bad,
+ * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,
  * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.
  *
  * With DTLS, mbedtls_ssl_read_record() will:
- * 1. proceed with the record if we return 0
- * 2. drop only the current record if we return UNEXPECTED_RECORD
- * 3. return CLIENT_RECONNECT if we return that
- * 4. drop the whole datagram if we return anything else.
- * Point 2 is needed when the peer is resending, and we already received the
- * first record from a datagram but are still waiting for the others.
+ * 1. proceed with the record if this function returns 0
+ * 2. drop only the current record if this function returns UNEXPECTED_RECORD
+ * 3. return CLIENT_RECONNECT if this function return that value
+ * 4. drop the whole datagram if this function returns anything else.
+ * Point 2 is needed when the peer is resending, and we have already received
+ * the first record from a datagram but are still waiting for the others.
  */
 static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
 {