-
-
Notifications
You must be signed in to change notification settings - Fork 10.1k
Commit
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for preparing the fix (CVE-2014-0160)
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -1459,26 +1459,36 @@ dtls1_process_heartbeat(SSL *s) | |
unsigned int payload; | ||
unsigned int padding = 16; /* Use minimum padding */ | ||
|
||
/* Read type and payload length first */ | ||
hbtype = *p++; | ||
n2s(p, payload); | ||
pl = p; | ||
|
||
if (s->msg_callback) | ||
s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, | ||
&s->s3->rrec.data[0], s->s3->rrec.length, | ||
s, s->msg_callback_arg); | ||
|
||
/* Read type and payload length first */ | ||
if (1 + 2 + 16 > s->s3->rrec.length) | ||
return 0; /* silently discard */ | ||
hbtype = *p++; | ||
n2s(p, payload); | ||
if (1 + 2 + payload + 16 > s->s3->rrec.length) | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong. |
||
return 0; /* silently discard per RFC 6520 sec. 4 */ | ||
pl = p; | ||
|
||
if (hbtype == TLS1_HB_REQUEST) | ||
{ | ||
unsigned char *buffer, *bp; | ||
unsigned int write_length = 1 /* heartbeat type */ + | ||
2 /* heartbeat length */ + | ||
This comment has been minimized.
Sorry, something went wrong.
davidgoli
|
||
payload + padding; | ||
int r; | ||
|
||
if (write_length > SSL3_RT_MAX_PLAIN_LENGTH) | ||
return 0; | ||
|
||
/* Allocate memory for the response, size is 1 byte | ||
This comment has been minimized.
Sorry, something went wrong. |
||
* message type, plus 2 bytes payload length, plus | ||
* payload, plus padding | ||
*/ | ||
buffer = OPENSSL_malloc(1 + 2 + payload + padding); | ||
buffer = OPENSSL_malloc(write_length); | ||
bp = buffer; | ||
|
||
/* Enter response type, length and copy payload */ | ||
|
@@ -1489,11 +1499,11 @@ dtls1_process_heartbeat(SSL *s) | |
/* Random padding */ | ||
RAND_pseudo_bytes(bp, padding); | ||
|
||
r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); | ||
r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length); | ||
|
||
if (r >= 0 && s->msg_callback) | ||
s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, | ||
buffer, 3 + payload + padding, | ||
buffer, write_length, | ||
s, s->msg_callback_arg); | ||
|
||
OPENSSL_free(buffer); | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2588,16 +2588,20 @@ tls1_process_heartbeat(SSL *s) | |
unsigned int payload; | ||
unsigned int padding = 16; /* Use minimum padding */ | ||
|
||
This comment has been minimized.
Sorry, something went wrong.
FenilKavathia
|
||
/* Read type and payload length first */ | ||
hbtype = *p++; | ||
n2s(p, payload); | ||
pl = p; | ||
|
||
if (s->msg_callback) | ||
s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, | ||
&s->s3->rrec.data[0], s->s3->rrec.length, | ||
s, s->msg_callback_arg); | ||
|
||
/* Read type and payload length first */ | ||
if (1 + 2 + 16 > s->s3->rrec.length) | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
davidgoli
|
||
return 0; /* silently discard */ | ||
hbtype = *p++; | ||
n2s(p, payload); | ||
if (1 + 2 + payload + 16 > s->s3->rrec.length) | ||
This comment has been minimized.
Sorry, something went wrong. |
||
return 0; /* silently discard per RFC 6520 sec. 4 */ | ||
pl = p; | ||
|
||
if (hbtype == TLS1_HB_REQUEST) | ||
{ | ||
unsigned char *buffer, *bp; | ||
|
4 comments
on commit 96db902
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what's up with all the magic numbers? Right click, Refactor -> Introduce Variable
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ha, I thought the same thing. Actually, I thought "god I can't stand seeing that in code reviews but I guess it's how they do it in the real world"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Extract Method
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good job - just reading this now as I have come across the heart bleed bug while learning about TLS security.
Could probably usepadding
here rather than the hard coded16
?Edit: According to rfc6520 s4, the
16
is the minimum padding allowed thus having no relation topadding
which should be a random number greater than 16