Project

General

Profile

Actions

Bug #5564

closed

tls: buffer overread

Added by Philippe Antoine over 1 year ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Found by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52094

Reproducer is attached


Files

tls.pcap (5.19 KB) tls.pcap Philippe Antoine, 10/05/2022 07:18 PM
Actions #1

Updated by Philippe Antoine over 1 year ago

Multiple issues :

            ssl_state->curr_connp->hs_buffer_offset += add;

            if (ssl_state->curr_connp->hs_buffer_message_size <=
                    ssl_state->curr_connp->hs_buffer_offset + input_len) {

The check should remove + input_len (because it was already added to hs_buffer_offset just before

TLSDecodeHandshakeHello(ssl_state, input, ssl_state->curr_connp->message_length);

We should use input_len

Actions #2

Updated by Philippe Antoine over 1 year ago

  • Status changed from New to In Review
  • Assignee changed from OISF Dev to Philippe Antoine

Gitlab MR

Actions #3

Updated by Victor Julien over 1 year ago

  • Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Actions #5

Updated by Philippe Antoine over 1 year ago

  • Status changed from In Review to Closed
Actions #6

Updated by Victor Julien over 1 year ago

  • Priority changed from High to Normal
  • Private changed from Yes to No

Issue only existed in master.

Actions

Also available in: Atom PDF