Project

General

Profile

Actions

Bug #4233

closed

ssl : Integer underflow in ssl parsing SSLV3_HANDSHAKE_PROTOCOL

Added by Philippe Antoine almost 2 years ago. Updated 10 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport to 5.0, Needs backport to 6.0

Description

Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28399

First we being parsing SSLV3_HANDSHAKE_PROTOCOL
We set message_start, bytes_processed and message_length in SSLv3ParseHandshakeProtocol

Then, we break out of this SSLV3_HANDSHAKE_PROTOCOL parsing because the other side of the connexion set SSL_AL_FLAG_CHANGE_CIPHER_SPEC
This leads to increasing bytes_processed at the end of SSLv3Decode

Then, we do not break anymore out of this SSLV3_HANDSHAKE_PROTOCOL parsing because the other side set SSL_AL_FLAG_STATE_CLIENT_HELLO
And bytes_processed is now over message_start + message_length


Related issues 3 (0 open3 closed)

Has duplicate Bug #4524: AssertionError in SSLv3ParseHandshakeType ClosedActions
Copied to Bug #4297: ssl : Integer underflow in ssl parsing SSLV3_HANDSHAKE_PROTOCOLClosedJeff LucovskyActions
Copied to Bug #4298: ssl : Integer underflow in ssl parsing SSLV3_HANDSHAKE_PROTOCOLClosedVictor JulienActions
Actions #1

Updated by Philippe Antoine over 1 year ago

  • Status changed from New to In Review

Gitlab MR

Actions #2

Updated by Jeff Lucovsky over 1 year ago

  • Label deleted (Needs backport to 4.1)
Actions #3

Updated by Jeff Lucovsky over 1 year ago

  • Copied to Bug #4297: ssl : Integer underflow in ssl parsing SSLV3_HANDSHAKE_PROTOCOL added
Actions #4

Updated by Jeff Lucovsky over 1 year ago

  • Copied to Bug #4298: ssl : Integer underflow in ssl parsing SSLV3_HANDSHAKE_PROTOCOL added
Actions #6

Updated by Philippe Antoine over 1 year ago

Victor Julien wrote in #note-5:

https://github.com/OISF/suricata/commit/00d7c9034be7470177c01e8805831c258b016d0e

This commit seems for another issue...

Actions #8

Updated by Philippe Antoine over 1 year ago

  • Has duplicate Bug #4524: AssertionError in SSLv3ParseHandshakeType added
Actions #9

Updated by Victor Julien 10 months ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF