[jira] [Created] (DIRMINA-1023) Infinite loop in SslHandler when the AppBuffer is too small

Fri, 22 Jan 2016 07:11:02 -0800 

Emmanuel Lecharny created DIRMINA-1023:
------------------------------------------

             Summary: Infinite loop in SslHandler when the AppBuffer is too 
small
                 Key: DIRMINA-1023
                 URL: https://issues.apache.org/jira/browse/DIRMINA-1023
             Project: MINA
          Issue Type: Bug
          Components: SSL
    Affects Versions: 2.0.10
            Reporter: Emmanuel Lecharny
            Priority: Blocker
             Fix For: 2.0.11


Radovan Semancik found a bug in the SslHandler class :

{noformat}
Hello,

Working with Apache Directory API while getting Active Directory schema over 
SSL uncovered a bug in Mina 2 code. The attempt to read the data ended up in 
endless loop caused by consecutive overflows from the SSL engine. What is 
worse, no indication of this condition was passed to the client. The patch is 
attached.

-- 
Radovan Semancik
Software Architect
evolveum.com
{noformat}

and here is the patch :

{noformat}
---
 .../src/main/java/org/apache/mina/filter/ssl/SslHandler.java   | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/mina-core/src/main/java/org/apache/mina/filter/ssl/SslHandler.java 
b/mina-core/src/main/java/org/apache/mina/filter/ssl/SslHandler.java
index 973fd10..929a948 100644
--- a/mina-core/src/main/java/org/apache/mina/filter/ssl/SslHandler.java
+++ b/mina-core/src/main/java/org/apache/mina/filter/ssl/SslHandler.java
@@ -748,10 +748,16 @@ class SslHandler {
             if (status == SSLEngineResult.Status.BUFFER_OVERFLOW) {
                 // We have to grow the target buffer, it's too small.
                 // Then we can call the unwrap method again
-                
appBuffer.capacity(sslEngine.getSession().getApplicationBufferSize());
-                appBuffer.limit(appBuffer.capacity());
+                int newCapacity = 
sslEngine.getSession().getApplicationBufferSize();
+                if (appBuffer.remaining() >= newCapacity) {
+                    // The buffer is already larger than the max buffer size 
suggested by the SSL engine.
+                    // Raising it any more will not make sense and it will end 
up in an endless loop. Throwing an error is safer.
+                    throw new SSLException("SSL buffer overflow");
+                }
+                appBuffer.expand(newCapacity);
                 continue;
             }
+            
         } while (((status == SSLEngineResult.Status.OK) || (status == 
SSLEngineResult.Status.BUFFER_OVERFLOW))
                 && ((handshakeStatus == 
SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING) || (handshakeStatus == 
SSLEngineResult.HandshakeStatus.NEED_UNWRAP)));
 
-- 
2.1.4
{noformat}




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to