Hello,
Working with Apache Directory API while getting Active Directory schema
over SSL uncovered a bug in Mina 2 code. The attempt to read the data
ended up in endless loop caused by consecutive overflows from the SSL
engine. What is worse, no indication of this condition was passed to the
client. The patch is attached.
--
Radovan Semancik
Software Architect
evolveum.com
>From 2609143563ac57e694f1543281b6a1752eaadf8f Mon Sep 17 00:00:00 2001
From: Radovan Semancik <[email protected]>
Date: Wed, 20 Jan 2016 16:52:15 +0100
Subject: [PATCH 1/2] Fixing buffer expansion in case of overflow, avoiding
endless loop.
---
.../src/main/java/org/apache/mina/filter/ssl/SslHandler.java | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/mina-core/src/main/java/org/apache/mina/filter/ssl/SslHandler.java b/mina-core/src/main/java/org/apache/mina/filter/ssl/SslHandler.java
index 973fd10..929a948 100644
--- a/mina-core/src/main/java/org/apache/mina/filter/ssl/SslHandler.java
+++ b/mina-core/src/main/java/org/apache/mina/filter/ssl/SslHandler.java
@@ -748,10 +748,16 @@ class SslHandler {
if (status == SSLEngineResult.Status.BUFFER_OVERFLOW) {
// We have to grow the target buffer, it's too small.
// Then we can call the unwrap method again
- appBuffer.capacity(sslEngine.getSession().getApplicationBufferSize());
- appBuffer.limit(appBuffer.capacity());
+ int newCapacity = sslEngine.getSession().getApplicationBufferSize();
+ if (appBuffer.remaining() >= newCapacity) {
+ // The buffer is already larger than the max buffer size suggested by the SSL engine.
+ // Raising it any more will not make sense and it will end up in an endless loop. Throwing an error is safer.
+ throw new SSLException("SSL buffer overflow");
+ }
+ appBuffer.expand(newCapacity);
continue;
}
+
} while (((status == SSLEngineResult.Status.OK) || (status == SSLEngineResult.Status.BUFFER_OVERFLOW))
&& ((handshakeStatus == SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING) || (handshakeStatus == SSLEngineResult.HandshakeStatus.NEED_UNWRAP)));
--
2.1.4
>From 9e1f731613cd3bd1d71bb2f04d4d59450ecb4d8e Mon Sep 17 00:00:00 2001
From: Radovan Semancik <[email protected]>
Date: Wed, 20 Jan 2016 16:52:48 +0100
Subject: [PATCH 2/2] Typo fix
---
mina-core/src/main/java/org/apache/mina/core/buffer/IoBuffer.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mina-core/src/main/java/org/apache/mina/core/buffer/IoBuffer.java b/mina-core/src/main/java/org/apache/mina/core/buffer/IoBuffer.java
index 11d3199..7372ab7 100644
--- a/mina-core/src/main/java/org/apache/mina/core/buffer/IoBuffer.java
+++ b/mina-core/src/main/java/org/apache/mina/core/buffer/IoBuffer.java
@@ -725,7 +725,7 @@ public abstract class IoBuffer implements Comparable<IoBuffer> {
/**
* @see java.nio.Buffer#hasRemaining()
*
- * @return <tt>true</tt> if there are some reamining bytes in the buffer
+ * @return <tt>true</tt> if there are some remaining bytes in the buffer
*/
public abstract boolean hasRemaining();
--
2.1.4
