RFR 8044860: Vectors and fixed length fields should be verified for allowed sizes

Bradford Wetmore bradford.wetmore at oracle.com
Fri Jan 23 06:27:03 UTC 2015


Thanks for checking and for getting this bug knocked out.

I find http://datatracker.ietf.org/wg/tls/documents/ to be a useful 
cross checking tool in situations like this.  As long as you hit the 
major ones that we support, I'm happy.

Thanks,

Brad


On 1/22/2015 10:17 PM, Jamil Nimeh wrote:
> I did check some of the other TLS RFCs, particularly 6066, 6961, 4492,
> 5288 and a few others.  There are so many that I'm not 100% certain I
> caught them all, but not all apply to JSSE either.  In all the RFCs I
> looked at, those vectors had upper bounds that matched the maximum value
> for its length field.
>
> --Jamil
>
>
> On 01/22/2015 09:57 PM, Bradford Wetmore wrote:
>> Jamil,
>>
>> MAX_LENGTH probably could have been private, but not a big deal.
>>
>> Nice that it was only SessionID.  I did a spot check on the TLS
>> Extensions and TLS1.0-1.2, do you check on other related TLS RFCs?
>>
>> Brad
>>
>>
>>
>> On 1/22/2015 6:27 PM, Xuelei Fan wrote:
>>> Looks fine to me.  Thanks!
>>>
>>> Xuelei
>>>
>>> On 1/23/2015 10:24 AM, Jamil Nimeh wrote:
>>>> Hi Xuelei, et al.:
>>>>
>>>> Updated webrev:
>>>> http://cr.openjdk.java.net/~jnimeh/reviews/8044860/webrev.02
>>>>
>>>> Thanks,
>>>> --Jamil
>>>>
>>>> On 01/22/2015 04:26 PM, Xuelei Fan wrote:
>>>>> I may use SSLProtocolException if the size of session ID is bigger
>>>>> than
>>>>> 32.  Otherwise, looks fine to me.
>>>>>
>>>>> Xuelei
>>>>>
>>>>> On 1/23/2015 2:35 AM, Jamil Nimeh wrote:
>>>>>> Hi all,
>>>>>>
>>>>>> This review is to provide length checks on the session ID for SSL/TLS
>>>>>> connections.  It appears to be the only vector/array that needs
>>>>>> additional length-checks to make sure it's not exceeding 32 bytes.
>>>>>>
>>>>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8044860
>>>>>> Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8044860/webrev.01
>>>>>>
>>>>>> Thanks,
>>>>>> --Jamil
>>>>
>>>
>



More information about the security-dev mailing list