RFR 8044860: Vectors and fixed length fields should be verified for allowed sizes

Xuelei Fan xuelei.fan at oracle.com
Fri Jan 23 02:27:43 UTC 2015


Looks fine to me.  Thanks!

Xuelei

On 1/23/2015 10:24 AM, Jamil Nimeh wrote:
> Hi Xuelei, et al.:
> 
> Updated webrev:
> http://cr.openjdk.java.net/~jnimeh/reviews/8044860/webrev.02
> 
> Thanks,
> --Jamil
> 
> On 01/22/2015 04:26 PM, Xuelei Fan wrote:
>> I may use SSLProtocolException if the size of session ID is bigger than
>> 32.  Otherwise, looks fine to me.
>>
>> Xuelei
>>
>> On 1/23/2015 2:35 AM, Jamil Nimeh wrote:
>>> Hi all,
>>>
>>> This review is to provide length checks on the session ID for SSL/TLS
>>> connections.  It appears to be the only vector/array that needs
>>> additional length-checks to make sure it's not exceeding 32 bytes.
>>>
>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8044860
>>> Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8044860/webrev.01
>>>
>>> Thanks,
>>> --Jamil
> 



More information about the security-dev mailing list