Code review request, 7200295 CertificateRequest message is wrapping when using large numbers of Certs
Brad Wetmore
bradford.wetmore at oracle.com
Tue Sep 25 01:23:51 UTC 2012
Are there situations where we might overflow the int?
For example, in CertificateRequest.messageLength()
for (int i = 0; i < authorities.length; i++) {
len += authorities[i].length();
}
What if len overflows?
Also, all of these field's callers are overflow-1?
Brad
On 9/23/2012 7:42 PM, Xuelei Fan wrote:
> Hi,
>
> Please review the update to check output filed length overflow in TLS
> handshaking.
>
> bug : http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7200295
> webrev: http://cr.openjdk.java.net/~xuelei/7200295/webrev.00/
>
> The cause of the bug is that for 8, 16, 24 bits length-variable fields,
> before put the bytes into the fields, we do not check that the length of
> the bytes is less than the capabilities of the field.
>
> Thanks,
> Xuelei
>
More information about the security-dev
mailing list