Actions
Bug #3774
closedAssert failed in TLS due to integer underflow
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport
Description
Found by oss-fuzz :
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22564
Stack trace is :
#8 0x51f4b0 in SSLv3ParseHandshakeType suricata/src/app-layer-ssl.c:1666:9
#9 0x51e780 in SSLv3ParseHandshakeProtocol suricata/src/app-layer-ssl.c:1736:18
#10 0x51cef6 in SSLv3Decode suricata/src/app-layer-ssl.c:2421:26
#11 0x51b6b7 in SSLDecode suricata/src/app-layer-ssl.c:2608:26
#12 0x51a9d1 in SSLParseServerRecord suricata/src/app-layer-ssl.c:2658:12
#13 0x50da1a in AppLayerParserParse suricata/src/app-layer-parser.c:1228:30
#14 0x4c3860 in LLVMFuzzerTestOneInput suricata/src/tests/fuzz/fuzz_applayerparserparse.c:146:16
Files
Updated by Philippe Antoine almost 4 years ago
Bug analysis :
In SSLv3ParseHandshakeType, we use the condition
if (ssl_state->curr_connp->message_start + ssl_state->curr_connp->message_length <
ssl_state->curr_connp->bytes_processed + input_len)
before assigning
write_len = (ssl_state->curr_connp->message_start + ssl_state->curr_connp->message_length) -
ssl_state->curr_connp->bytes_processed;
- ssl_state->curr_connp->message_length = 9
- ssl_state->curr_connp->bytes_processed = 10
Leading to bad write_len = 0xFFFFFFFF
We seem to need the 5 packets of the reproducer to get this :
First packet (from server to client) has 9 bytes payloadAfter this packet, we have
- ssl_state->curr_connp->message_length = 9
- ssl_state->curr_connp->bytes_processed = 9
Second packet is from client to server to progress handshake somehow
Third packet is from serverIt does not reach
SSLv3ParseHandshakeType because of SSLv3Decode lines get into the break case : if (ssl_state->flags & SSL_AL_FLAG_CHANGE_CIPHER_SPEC) {
/* In TLSv1.3, ChangeCipherSpec is only used for middlebox
compability (rfc8446, appendix D.4). */
if ((ssl_state->client_connp.version > TLS_VERSION_12) &&
((ssl_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) == 0)) {
/* do nothing */
} else {
break;
}
}
After this packet, we get
- ssl_state->curr_connp->message_length = 9
- ssl_state->curr_connp->bytes_processed = 10
Fourth packet is from the client and modifies ssl_state->client_connp.version so as to ssl_state->client_connp.version > TLS_VERSION_12 becomes true
Fifth and last packet from server triggers the integer underflow
Updated by Philippe Antoine almost 4 years ago
- Status changed from New to In Review
- Assignee set to Philippe Antoine
PR in private Gitlab
Updated by Jeff Lucovsky almost 4 years ago
- Copied to Bug #3791: Assert failed in TLS due to integer underflow added
Updated by Jeff Lucovsky almost 4 years ago
- Copied to Bug #3792: Assert failed in TLS due to integer underflow added
Updated by Victor Julien almost 4 years ago
- Subject changed from Assert failed in TLS dur to integer underflow to Assert failed in TLS due to integer underflow
Updated by Philippe Antoine almost 4 years ago
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24060 is a new variant found
Updated by Victor Julien over 3 years ago
- Target version changed from 6.0.0beta1 to 6.0.0rc1
Updated by Victor Julien over 3 years ago
- Target version changed from 6.0.0rc1 to 6.0.0
Updated by Victor Julien over 3 years ago
- Status changed from In Review to Closed
Actions