Tushar wrote: > Hi, > > I have a question regarding the buffer overflow checks > in 0.9.6g. > > Why do we always check for > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER? > ^^^ > Shouldn't it be for > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER > ^^^ > > Line# 437 in get_client_master_key() > len = 10 + (unsigned long)s->s2->tmp.clear + (unsigned > long)s->s2->tmp.enc + (unsigned long)keya; > > if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) > { > ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); > SSLerrSSL_F_GET_CLIENT_MASTER_KEY,SSL_R_MESSAGE_TOO_LONG); > return -1; > } > > > As Client-hello (similar check here), > Client-master-key messages will go in clear, it will > be with 2 byte header. And as we know 2 byte header > allows for larger record length than 3 byte header, > the above checks ideally should have been with > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER. > > Ya, its true that Client-hello and Client-master-key > are small messages and will not exceed the max 3-byte- > header record length too. > > Please correct me if I am wrong.
We check for that value because we've just checked the buffer is big enough to accept that length. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ Available for contract work. "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]