RFR: 8264948: Check for TLS extensions total length [v2]
Xue-Lei Andrew Fan
xuelei at openjdk.java.net
Fri Apr 9 19:29:54 UTC 2021
On Fri, 9 Apr 2021 05:55:40 GMT, Jamil Nimeh <jnimeh at openjdk.org> wrote:
>> Xue-Lei Andrew Fan has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Change to use decode_error for incorrect extension length
>
> src/java.base/share/classes/sun/security/ssl/SSLExtensions.java line 68:
>
>> 66: Alert.ILLEGAL_PARAMETER,
>> 67: "Insufficient extensions data");
>> 68: }
>
> For both of these blocks the checks themselves look OK, but illegal_parameter I thought was more for cases where a field value is out of range or inconsistent with already negotiated parameters. I would think that decode_error would be more appropriate to cases like this where the encoding is structurally incorrect and the length doesn't match the actual data size.
Good catch! Updated to use decode_error.
-------------
PR: https://git.openjdk.java.net/jdk/pull/3405
More information about the security-dev
mailing list