I think that's a good idea. I've made the change. http://cr.openjdk.java.net/~jnimeh/reviews/8224997/webrev.02/
Thanks for the review, --Jamil On 8/16/19 9:36 AM, Xue-Lei Fan wrote:
Good catch! For the engineGetOutputSize() implementation, as the inputLen parameter is an external input, we may want to ensure it is not too big to integer overflow. The Math.addExact() was used to check the overflow issues. What do you think we keep using the Math.addExact() method, at line 1243 and 1314? Otherwise, looks fine to me. Xuelei ----- Original Message ----- From:jamil.j.ni...@oracle.com To:security-dev@openjdk.java.net Sent: Monday, August 12, 2019 12:59:32 PM GMT -08:00 US/Canada Pacific Subject: [RFR] JDK-8224997: ChaCha20-Poly1305 TLS cipher suite decryption throws ShortBufferException Hello all, This fix addresses a problem first found by Netty/Jetty when decrypting payloads in excess of ~4096 bytes using one of the ChaCha20-Poly1305 cipher suites. The root cause of the issue is not in the TLS code, it is actually an issue with how ChaCha20-Poly1305 was implementing CipherSpi.engineGetOutputSize(). The bug was also partially worked around due to changes in CipherSpi from 8181386, but this properly addresses the output buffer sizing. Thanks to Adrian Todt and Bradley Wagner for the Catnip and Jetty support while trying to replicate the issue originally. Bug:https://bugs.openjdk.java.net/browse/JDK-8224997 Webrev:http://cr.openjdk.java.net/~jnimeh/reviews/8224997/webrev.01/ --Jamil
