Skip to content
Permalink
Browse files

Avoid arithmetic operation on uint16 read from the wire.

Summary:
This could overflow previously.

CVE-2019-3560

Reviewed By: yfeldblum

Differential Revision: D14152362

fbshipit-source-id: c0ebb3fc59b49c7c23e6bcb90458c19cd891be65
  • Loading branch information...
knekritz authored and facebook-github-bot committed Feb 26, 2019
1 parent 261b8f6 commit 40bbb161e72fb609608d53b9d64c56bb961a6ee2
Showing with 11 additions and 3 deletions.
  1. +1 −3 fizz/record/PlaintextRecordLayer.cpp
  2. +10 −0 fizz/record/test/PlaintextRecordTest.cpp
@@ -39,9 +39,7 @@ folly::Optional<TLSMessage> PlaintextReadRecordLayer::read(
if (buf.chainLength() < (cursor - buf.front()) + length) {
return folly::none;
}
length +=
sizeof(ContentType) + sizeof(ProtocolVersion) + sizeof(uint16_t);
buf.trimStart(length);
buf.trimStart(static_cast<size_t>(kPlaintextHeaderSize) + length);
continue;
} else if (msg.type != ContentType::change_cipher_spec) {
skipEncryptedRecords_ = false;
@@ -115,6 +115,16 @@ TEST_F(PlaintextRecordTest, TestSkipAndWait) {
EXPECT_TRUE(queue_.empty());
}

TEST_F(PlaintextRecordTest, TestSkipOversizedRecord) {
read_.setSkipEncryptedRecords(true);
addToQueue("170301fffb");
auto longBuf = IOBuf::create(0xfffb);
longBuf->append(0xfffb);
queue_.append(std::move(longBuf));
EXPECT_FALSE(read_.read(queue_).hasValue());
EXPECT_TRUE(queue_.empty());
}

TEST_F(PlaintextRecordTest, TestWaitBeforeSkip) {
read_.setSkipEncryptedRecords(true);
addToQueue("170301000501234567");

0 comments on commit 40bbb16

Please sign in to comment.
You can’t perform that action at this time.