Actions
Bug #5564
closedtls: buffer overread
Affected Versions:
Effort:
Difficulty:
Label:
Description
Found by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52094
Reproducer is attached
Files
Updated by Philippe Antoine about 2 years ago
Multiple issues :
ssl_state->curr_connp->hs_buffer_offset += add;
if (ssl_state->curr_connp->hs_buffer_message_size <=
ssl_state->curr_connp->hs_buffer_offset + input_len) {
The check should remove + input_len (because it was already added to hs_buffer_offset just before
TLSDecodeHandshakeHello(ssl_state, input, ssl_state->curr_connp->message_length);
We should use input_len
Updated by Philippe Antoine about 2 years ago
- Status changed from New to In Review
- Assignee changed from OISF Dev to Philippe Antoine
Gitlab MR
Updated by Victor Julien about 2 years ago
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Updated by Philippe Antoine about 2 years ago
Updated by Philippe Antoine about 2 years ago
- Status changed from In Review to Closed
Updated by Victor Julien about 2 years ago
- Priority changed from High to Normal
- Private changed from Yes to No
Issue only existed in master.
Actions