Hi,
I have a question regarding the buffer overflow checks
in 0.9.6g.
Why do we always check for
SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER?
^^^
Shouldn't it be for
SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
^^^
Line# 437 in get_client_master_key()
len = 10 + (unsigned long)s->s2->tmp.clear + (unsigned
long)s->s2->tmp.enc + (unsigned long)keya;
if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
{
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
SSLerrSSL_F_GET_CLIENT_MASTER_KEY,SSL_R_MESSAGE_TOO_LONG);
return -1;
}
As Client-hello (similar check here),
Client-master-key messages will go in clear, it will
be with 2 byte header. And as we know 2 byte header
allows for larger record length than 3 byte header,
the above checks ideally should have been with
SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER.
Ya, its true that Client-hello and Client-master-key
are small messages and will not exceed the max 3-byte-
header record length too.
Please correct me if I am wrong.
Thanks,
Tushar.
__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
