Tushar wrote:
> Hi,
>
> I have a question regarding the buffer overflow checks
> in 0.9.6g.
>
> Why do we always check for
> SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER?
> ^^^
> Shouldn't it be for
> SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
> ^^^
>
> Line# 437 in get_client_master_key()
> len = 10 + (unsigned long)s->s2->tmp.clear + (unsigned
> long)s->s2->tmp.enc + (unsigned long)keya;
>
> if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
> {
> ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
> SSLerrSSL_F_GET_CLIENT_MASTER_KEY,SSL_R_MESSAGE_TOO_LONG);
> return -1;
> }
>
>
> As Client-hello (similar check here),
> Client-master-key messages will go in clear, it will
> be with 2 byte header. And as we know 2 byte header
> allows for larger record length than 3 byte header,
> the above checks ideally should have been with
> SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER.
>
> Ya, its true that Client-hello and Client-master-key
> are small messages and will not exceed the max 3-byte-
> header record length too.
>
> Please correct me if I am wrong.
We check for that value because we've just checked the buffer is big
enough to accept that length.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
Available for contract work.
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
