TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / e103aa8a53e1169381a2839b98ddfb392123c93d^! / .
commite103aa8a53e1169381a2839b98ddfb392123c93d[log] [tgz]
authorSimon Butcher <simon.butcher@arm.com>Wed Dec 16 01:51:01 2015 +0000
committerSimon Butcher <simon.butcher@arm.com>Wed Dec 16 01:51:01 2015 +0000
tree847ec0d3846a464a24fe4a04ac1466f6d8062038
parent013198f30f785cc4f3186c2f0ef5ba11c88cb7b7 [diff]
Added description of change to the Changelog

Also clarified some comments following review.

diff --git a/ChangeLog b/ChangeLog
index 4065d04..ca09968 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -1,5 +1,15 @@
 mbed TLS ChangeLog (Sorted per branch, date)
 
+= mbed TLS 2.1.4 released 2015-12-xx
+
+Changes
+   * To avoid dropping an entire DTLS datagram if a single record in a datagram
+     is invalid, we now only drop the record and look at subsequent records (if
+     any are present) in the same datagram to avoid interoperability issues.
+     Previously the library was dropping the entire datagram, Where a record is
+     unexpected, the function mbedtls_ssl_read_record() will now return
+     MBEDTLS_ERR_SSL_UNEXPECTED_RECORD.
+
 = mbed TLS 2.1.3 released 2015-11-04
 
 Security

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 3d1f49a..ddc7bdc 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c

@@ -3457,16 +3457,16 @@
  * uint16 length;
  *
  * Return 0 if header looks sane (and, for DTLS, the record is expected)
- * MBEDTLS_ERR_SSL_INVALID_RECORD is the header looks bad,
+ * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,
  * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.
  *
  * With DTLS, mbedtls_ssl_read_record() will:
- * 1. proceed with the record if we return 0
- * 2. drop only the current record if we return UNEXPECTED_RECORD
- * 3. return CLIENT_RECONNECT if we return that
- * 4. drop the whole datagram if we return anything else.
- * Point 2 is needed when the peer is resending, and we already received the
- * first record from a datagram but are still waiting for the others.
+ * 1. proceed with the record if this function returns 0
+ * 2. drop only the current record if this function returns UNEXPECTED_RECORD
+ * 3. return CLIENT_RECONNECT if this function returns that value
+ * 4. drop the whole datagram if this function returns anything else.
+ * Point 2 is needed when the peer is resending, and we have already received
+ * the first record from a datagram but are still waiting for the others.
  */
 static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
 {