[jira] [Updated] (NIFI-11680) Buffer Overflow with Connection Load Balancing and Bouncy Castle TLS

Mon, 12 Jun 2023 13:43:04 -0700 


     [ 
https://issues.apache.org/jira/browse/NIFI-11680?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

David Handermann updated NIFI-11680:
------------------------------------
    Status: Patch Available  (was: Open)

> Buffer Overflow with Connection Load Balancing and Bouncy Castle TLS
> --------------------------------------------------------------------
>
>                 Key: NIFI-11680
>                 URL: https://issues.apache.org/jira/browse/NIFI-11680
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core Framework
>    Affects Versions: 1.22.0
>            Reporter: David Handermann
>            Assignee: David Handermann
>            Priority: Major
>             Fix For: 1.latest, 2.latest
>
>
> Cluster Connection Load Balancing is susceptible to a 
> {{BufferOverflowException}} when the Java Virtual Machine is configured with 
> an alternative Security Provider for TLS, such as the Bouncy Castle Security 
> Provider.
> The standard JDK [SSLSession 
> implementation|https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java#L1394]
>  provides {{getPacketBufferSize()}} and {{getApplicationBufferSize()}} 
> methods to support runtime determination of required buffer sizes for 
> encrypted and decrypted records. The standard implementation calculates 
> specific sizes based on TLS protocol version.
> The Bouncy Castle [SSLSession 
> implementation|https://github.com/bcgit/bc-java/blob/master/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSessionBase.java#L99]
>  uses a hard-coded value of 16384 for the Application Buffer Size and uses a 
> [worst-case scenario 
> calculation|https://github.com/bcgit/bc-java/blob/master/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSessionBase.java#L150]
>  for the Packet Buffer Size.
> When running with the Bouncy Castle implementation, the NiFi {{PeerChannel}} 
> can produce encrypted packets that exceed the prepared buffer size, resulting 
> in a {{BufferOverflowException}}.
> Instead of using the {{SSLSession}} Application Buffer Size to expand the 
> encrypted prepared buffer, the {{PeerChannel}} method should adjust the 
> prepared buffer based on size of the current destination buffer. This 
> approach should ensure correct behavior regardless of the TLS Security 
> Provider implementation.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to