RFR 8044860: Vectors and fixed length fields should be verified for allowed sizes

Bradford Wetmore bradford.wetmore at oracle.com
Fri Jan 23 05:57:59 UTC 2015


Jamil,

MAX_LENGTH probably could have been private, but not a big deal.

Nice that it was only SessionID.  I did a spot check on the TLS 
Extensions and TLS1.0-1.2, do you check on other related TLS RFCs?

Brad



On 1/22/2015 6:27 PM, Xuelei Fan wrote:
> Looks fine to me.  Thanks!
>
> Xuelei
>
> On 1/23/2015 10:24 AM, Jamil Nimeh wrote:
>> Hi Xuelei, et al.:
>>
>> Updated webrev:
>> http://cr.openjdk.java.net/~jnimeh/reviews/8044860/webrev.02
>>
>> Thanks,
>> --Jamil
>>
>> On 01/22/2015 04:26 PM, Xuelei Fan wrote:
>>> I may use SSLProtocolException if the size of session ID is bigger than
>>> 32.  Otherwise, looks fine to me.
>>>
>>> Xuelei
>>>
>>> On 1/23/2015 2:35 AM, Jamil Nimeh wrote:
>>>> Hi all,
>>>>
>>>> This review is to provide length checks on the session ID for SSL/TLS
>>>> connections.  It appears to be the only vector/array that needs
>>>> additional length-checks to make sure it's not exceeding 32 bytes.
>>>>
>>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8044860
>>>> Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8044860/webrev.01
>>>>
>>>> Thanks,
>>>> --Jamil
>>
>


More information about the security-dev mailing list