RFR 8044860: Vectors and fixed length fields should be verified for allowed sizes
Xuelei Fan
xuelei.fan at oracle.com
Fri Jan 23 00:26:38 UTC 2015
I may use SSLProtocolException if the size of session ID is bigger than
32. Otherwise, looks fine to me.
Xuelei
On 1/23/2015 2:35 AM, Jamil Nimeh wrote:
> Hi all,
>
> This review is to provide length checks on the session ID for SSL/TLS
> connections. It appears to be the only vector/array that needs
> additional length-checks to make sure it's not exceeding 32 bytes.
>
> Bug: https://bugs.openjdk.java.net/browse/JDK-8044860
> Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8044860/webrev.01
>
> Thanks,
> --Jamil
More information about the security-dev
mailing list