kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add heartbeat extension bounds check.

Browse Source 
A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix (CVE-2014-0160)

(Imported from upstream's 7e840163c06c7692b796a93e3fa85a93136adbb2)
This commit is contained in:
Adam Langley 2014-06-20 12:00:00 -07:00
parent 45ba42a94c
commit 56475207be
2 changed files with 27 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
ssl/d1_both.c
View File

@ -1319,26 +1319,36 @@ dtls1_process_heartbeat(SSL *s)
unsigned int payload; unsigned int payload;
unsigned int padding = 16; /* Use minimum padding */ unsigned int padding = 16; /* Use minimum padding */
/* Read type and payload length first */
hbtype = *p++;
n2s(p, payload);
pl = p;
if (s->msg_callback) if (s->msg_callback)
s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
&s->s3->rrec.data[0], s->s3->rrec.length, &s->s3->rrec.data[0], s->s3->rrec.length,
s, s->msg_callback_arg); s, s->msg_callback_arg);
/* Read type and payload length first */
if (1 + 2 + 16 > s->s3->rrec.length)
return 0; /* silently discard */
hbtype = *p++;
n2s(p, payload);
if (1 + 2 + payload + 16 > s->s3->rrec.length)
return 0; /* silently discard per RFC 6520 sec. 4 */
pl = p;
if (hbtype == TLS1_HB_REQUEST) if (hbtype == TLS1_HB_REQUEST)
{ {
unsigned char *buffer, *bp; unsigned char *buffer, *bp;
unsigned int write_length = 1 /* heartbeat type */ +
2 /* heartbeat length */ +
payload + padding;
int r; int r;
if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
return 0;
/* Allocate memory for the response, size is 1 byte /* Allocate memory for the response, size is 1 byte
* message type, plus 2 bytes payload length, plus * message type, plus 2 bytes payload length, plus
* payload, plus padding * payload, plus padding
*/ */
buffer = OPENSSL_malloc(1 + 2 + payload + padding); buffer = OPENSSL_malloc(write_length);
bp = buffer; bp = buffer;
/* Enter response type, length and copy payload */ /* Enter response type, length and copy payload */
@ -1349,11 +1359,11 @@ dtls1_process_heartbeat(SSL *s)
/* Random padding */ /* Random padding */
RAND_pseudo_bytes(bp, padding); RAND_pseudo_bytes(bp, padding);
r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length);
if (r >= 0 && s->msg_callback) if (r >= 0 && s->msg_callback)
s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
buffer, 3 + payload + padding, buffer, write_length,
s, s->msg_callback_arg); s, s->msg_callback_arg);
OPENSSL_free(buffer); OPENSSL_free(buffer);

14
ssl/t1_lib.c
View File

@ -4182,16 +4182,20 @@ tls1_process_heartbeat(SSL *s)
unsigned int payload; unsigned int payload;
unsigned int padding = 16; /* Use minimum padding */ unsigned int padding = 16; /* Use minimum padding */
/* Read type and payload length first */
hbtype = *p++;
n2s(p, payload);
pl = p;
if (s->msg_callback) if (s->msg_callback)
s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
&s->s3->rrec.data[0], s->s3->rrec.length, &s->s3->rrec.data[0], s->s3->rrec.length,
s, s->msg_callback_arg); s, s->msg_callback_arg);
/* Read type and payload length first */
if (1 + 2 + 16 > s->s3->rrec.length)
return 0; /* silently discard */
hbtype = *p++;
n2s(p, payload);
if (1 + 2 + payload + 16 > s->s3->rrec.length)
return 0; /* silently discard per RFC 6520 sec. 4 */
pl = p;
if (hbtype == TLS1_HB_REQUEST) if (hbtype == TLS1_HB_REQUEST)
{ {
unsigned char *buffer, *bp; unsigned char *buffer, *bp;