Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS13 padding bounds check #7099

Merged
merged 4 commits into from
Jan 4, 2024
Merged

TLS13 padding bounds check #7099

merged 4 commits into from
Jan 4, 2024

Conversation

jpbland1
Copy link
Contributor

Description

When removing the padding for the TLS13 verify message step, check that the index doesn't wrap around due to a malformed packet

Fixes #7089

Testing

Tested with malicious client example provided by the bug reporter.

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@jpbland1
when removing the padding for the TLS13 verify message
e641c6b 
step, check that the index doesn't wrap around due to a malformed packet
@jpbland1 jpbland1 self-assigned this Dec 27, 2023
@jpbland1 jpbland1 requested a review from dgarske December 27, 2023 21:11
@jpbland1 jpbland1 marked this pull request as ready for review December 27, 2023 21:12
@jpbland1 jpbland1 mentioned this pull request Dec 27, 2023
Closed
@dgarske dgarske assigned wolfSSL-Bot and unassigned dgarske Dec 27, 2023
dgarske
dgarske previously approved these changes Dec 27, 2023
View reviewed changes
@jpbland1
Copy link
Contributor Author

retest this please.

douzzer
douzzer requested changes Jan 2, 2024
View reviewed changes
src/internal.c Outdated
Comment on lines 21169 to 21170
/* check i isn't too big and won't wrap around on --i */
if (i > ssl->buffers.inputBuffer.length || i == 0) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we need to test for integer overflow, then I suspect we need to test ssl->buffers.inputBuffer.idx + ssl->curSize - ssl->specs.aead_mac_size before casting it.

@jpbland1 jpbland1 requested a review from douzzer January 3, 2024 22:22
@douzzer douzzer merged commit 9db2077 into wolfSSL:master Jan 4, 2024
108 checks passed
kojo1 added a commit to kojo1/wolfssl that referenced this pull request Jul 9, 2024
@kojo1
TLS13 padding bounds check wolfSSL#7099
6e7a608
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@douzzer douzzer douzzer approved these changes

@dgarske dgarske dgarske left review comments

Assignees

@douzzer douzzer

@jpbland1 jpbland1

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Bug]: Asan reports SEGV on unknown address in ProcessReplyEx, potential heap over flow
4 participants
@jpbland1 @dgarske @douzzer @wolfSSL-Bot