Hi, I feel there is a check missing in ssl3_write_bytes, in case of handling write failure. Consider SSL_write is called with 20000 bytes buffer, then internally in ssl3_write_bytes we try to send it as two record (16384 and 3616). If TCP send failed for the second record then we store the states internally (wnum, wpend_tot and
wpend_buf) and return back the result. Later application has to call SSL_write with same buffer, if it calls with different buffer of length 100 byte then we fail that in ssl3_write_bytes using the check (len < tot). But consider application calls with buffer of size 18000 bytes and SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER is enabled. Then (len < tot) will not succeed as tot is 16384. Then it will call ssl3_write_pending to send the remaining 3616 record.
If it succeeds we are incrementing tot, (tot += i). Now tot will have 20000. Later there is a check (tot == len), this will not succeed. Then directly we are doing n = (len - tot), this will overflow and store a value close to 2^32 in n. Then it will cause out of bound access to the application buffer "buf". I hope we should have one more check (len < (tot + s->s3->wpend_tot)) before calling ssl3_write_pending. if ((len < tot) || (len < (tot + s->s3->wpend_tot))){ SSLerr(SSL_F_SSL3_WRITE_BYTES, SSL_R_BAD_LENGTH); return (-1); } Note : I am referring 1.0.2k version of OpenSSL. Regards, Ashok
本邮件及其附件含有华为公司的保密信息,仅限于发送给上面地址中列出的个人或群组。禁 |
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users