On Fri, Apr 05, 2002 at 03:19:55PM -0800, Alex Pankratov wrote:
> the following problem is present in 0.9.6 and 0.9.6c.
>
> It is possible to put server code into the internal infinite
> loop in ssl3_read_bytes() by sending the following data from
> the client right after establishing TCP connection:
>
> 01 03 01 00 01 00
>
> i.e. the record with type 1, version TLSv1, size 1 and dummy payload.
>
> Calling stack will look like this:
> SSL_accept()
> ssl3_accept()
> ssl3_get_client_hello()
> ssl3_get_message()
> ssl3_read_bytes()
>
> The problem is in the code that was supposed to ignore unknown TLS
> message types:
>
> switch (rr->type)
> {
> default:
> #ifndef NO_TLS
> /* TLS just ignores unknown message types */
> if (s->version == TLS1_VERSION)
> {
> goto start;
> }
> #endif
> ...
>
> The code passes control back to start without resetting 'rr' length,
> thus causing code not to ignore the record and process next one, but
> rather process current one *again*. This yeilds an infinite loop.
>
> >From the first glance, the fix is to add
>
> rr->length = 0;
>
> right before 'goto start;' line from above. This may leak a memory
> though if 'rr' requires explicit disposition via function call.
>
> I am not subscribed to any openssl maillists, so please reply privately
> if needed.
This bug is already fixed in the CVS:
*) Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown
type, we must throw them away by setting rr->length to 0.
[D P Chang <[EMAIL PROTECTED]>]
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
