RFR 8044860: Vectors and fixed length fields should be verified for allowed sizes
Xuelei Fan
xuelei.fan at oracle.com
Fri Jan 23 02:27:43 UTC 2015
Looks fine to me. Thanks!
Xuelei
On 1/23/2015 10:24 AM, Jamil Nimeh wrote:
> Hi Xuelei, et al.:
>
> Updated webrev:
> http://cr.openjdk.java.net/~jnimeh/reviews/8044860/webrev.02
>
> Thanks,
> --Jamil
>
> On 01/22/2015 04:26 PM, Xuelei Fan wrote:
>> I may use SSLProtocolException if the size of session ID is bigger than
>> 32. Otherwise, looks fine to me.
>>
>> Xuelei
>>
>> On 1/23/2015 2:35 AM, Jamil Nimeh wrote:
>>> Hi all,
>>>
>>> This review is to provide length checks on the session ID for SSL/TLS
>>> connections. It appears to be the only vector/array that needs
>>> additional length-checks to make sure it's not exceeding 32 bytes.
>>>
>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8044860
>>> Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8044860/webrev.01
>>>
>>> Thanks,
>>> --Jamil
>
More information about the security-dev
mailing list