RFR 8044860: Vectors and fixed length fields should be verified for allowed sizes

Jamil Nimeh jamil.j.nimeh at oracle.com
Fri Jan 23 02:24:09 UTC 2015


Hi Xuelei, et al.:

Updated webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8044860/webrev.02

Thanks,
--Jamil

On 01/22/2015 04:26 PM, Xuelei Fan wrote:
> I may use SSLProtocolException if the size of session ID is bigger than
> 32.  Otherwise, looks fine to me.
>
> Xuelei
>
> On 1/23/2015 2:35 AM, Jamil Nimeh wrote:
>> Hi all,
>>
>> This review is to provide length checks on the session ID for SSL/TLS
>> connections.  It appears to be the only vector/array that needs
>> additional length-checks to make sure it's not exceeding 32 bytes.
>>
>> Bug: https://bugs.openjdk.java.net/browse/JDK-8044860
>> Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8044860/webrev.01
>>
>> Thanks,
>> --Jamil



More information about the security-dev mailing list