Actions
Bug #5564
closedtls: buffer overread
Affected Versions:
Effort:
Difficulty:
Label:
Description
Found by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52094
Reproducer is attached
Files
Actions
Added by Philippe Antoine about 3 years ago. Updated almost 3 years ago.
Description
Found by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52094
Reproducer is attached
Files
Multiple issues :
ssl_state->curr_connp->hs_buffer_offset += add;
if (ssl_state->curr_connp->hs_buffer_message_size <=
ssl_state->curr_connp->hs_buffer_offset + input_len) {
The check should remove + input_len (because it was already added to hs_buffer_offset just before
TLSDecodeHandshakeHello(ssl_state, input, ssl_state->curr_connp->message_length);
We should use input_len
Gitlab MR
Issue only existed in master.