From aa4de6e17071f641a7d7aafb128c0128574b5334 Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Mon, 17 Dec 2018 15:40:35 -0800
Subject: [PATCH] DTLS Nonblocking Updates Do not allow the DTLS message flight
 be retransmit without being finished. This can happen if a non-blocking
 transmit times out the response and the application tries to retransmit.

---
 src/internal.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/internal.c b/src/internal.c
index dc3e0d7d6..5f5a56cb0 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -6090,6 +6090,18 @@ int DtlsMsgPoolSend(WOLFSSL* ssl, int sendOnlyFirstPacket)
     WOLFSSL_ENTER("DtlsMsgPoolSend()");
 
     if (pool != NULL) {
+        if ((ssl->options.side == WOLFSSL_SERVER_END &&
+             !(ssl->options.acceptState == SERVER_HELLO_DONE ||
+               ssl->options.acceptState == ACCEPT_FINISHED_DONE)) ||
+            (ssl->options.side == WOLFSSL_CLIENT_END &&
+             !(ssl->options.connectState == CLIENT_HELLO_SENT ||
+               ssl->options.connectState == HELLO_AGAIN_REPLY ||
+               ssl->options.connectState == FINISHED_DONE))) {
+
+            WOLFSSL_ERROR(DTLS_RETX_OVER_TX);
+            ssl->error = DTLS_RETX_OVER_TX;
+            return WOLFSSL_FATAL_ERROR;
+        }
 
         while (pool != NULL) {
             if (pool->seq == 0) {