https://github.com/openssl/openssl
Revision d30ef639647ad263d09740c931a5bfb5a8b6a5f6 authored by Matt Caswell on 08 May 2020, 10:12:10 UTC, committed by Matt Caswell on 15 May 2020, 10:26:43 UTC
The alignment calculation in ssl3_setup_write incorrectly results in an alignment allowance of (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1) bytes. This equals 3 in almost all cases. The maximum alignment actually used in do_ssl3_write is (SSL3_ALIGN_PAYLOAD - 1). This equals 7 bytes in almost all cases. So there is a potential to overrun the buffer by up to 4 bytes. Fortunately, the encryption overhead allowed for is 80 bytes which consists of 16 bytes for the cipher block size and 64 bytes for the MAC output. However the biggest MAC that we ever produce is HMAC-384 which is 48 bytes - so we have a headroom of 16 bytes (i.e. more than the 4 bytes of potential overrun). Thanks to Nagesh Hegde for reporting this. Fixes #11766 Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/11768)
1 parent 7689926
Tip revision: d30ef639647ad263d09740c931a5bfb5a8b6a5f6 authored by Matt Caswell on 08 May 2020, 10:12:10 UTC
Correct alignment calculation in ssl3_setup_write
Correct alignment calculation in ssl3_setup_write
Tip revision: d30ef63
| File | Mode | Size |
|---|---|---|
| .github | ||
| Configurations | ||
| VMS | ||
| apps | ||
| boringssl @ 2070f8a | ||
| crypto | ||
| demos | ||
| dev | ||
| doc | ||
| engines | ||
| external | ||
| fuzz | ||
| include | ||
| krb5 @ 890ca2f | ||
| ms | ||
| os-dep | ||
| providers | ||
| pyca-cryptography @ 0940310 | ||
| ssl | ||
| test | ||
| tools | ||
| util | ||
| .gitattributes | -rw-r--r-- | 501 bytes |
| .gitignore | -rw-r--r-- | 3.3 KB |
| .gitmodules | -rw-r--r-- | 270 bytes |
| .travis-apt-pin.preferences | -rw-r--r-- | 256 bytes |
| .travis-create-release.sh | -rw-r--r-- | 44 bytes |
| .travis.yml | -rw-r--r-- | 10.9 KB |
| ACKNOWLEDGEMENTS.md | -rw-r--r-- | 158 bytes |
| AUTHORS.md | -rw-r--r-- | 832 bytes |
| CHANGES.md | -rw-r--r-- | 677.4 KB |
| CONTRIBUTING.md | -rw-r--r-- | 4.0 KB |
| Configure | -rwxr-xr-x | 121.3 KB |
| FAQ.md | -rw-r--r-- | 197 bytes |
| HACKING | -rw-r--r-- | 1.1 KB |
| INSTALL.md | -rw-r--r-- | 60.0 KB |
| LICENSE | -rw-r--r-- | 9.9 KB |
| NEWS.md | -rw-r--r-- | 64.2 KB |
| NOTES.ANDROID | -rw-r--r-- | 4.4 KB |
| NOTES.DJGPP | -rw-r--r-- | 2.0 KB |
| NOTES.PERL | -rw-r--r-- | 4.5 KB |
| NOTES.UNIX | -rw-r--r-- | 5.4 KB |
| NOTES.VALGRIND | -rw-r--r-- | 2.6 KB |
| NOTES.VMS | -rw-r--r-- | 3.6 KB |
| NOTES.WIN | -rw-r--r-- | 7.2 KB |
| README.ENGINE | -rw-r--r-- | 15.7 KB |
| README.FIPS | -rw-r--r-- | 61 bytes |
| README.md | -rw-r--r-- | 6.8 KB |
| SUPPORT.md | -rw-r--r-- | 4.8 KB |
| VERSION | -rw-r--r-- | 99 bytes |
| appveyor.yml | -rw-r--r-- | 2.5 KB |
| build.info | -rw-r--r-- | 1.3 KB |
| config | -rwxr-xr-x | 27.6 KB |
| config.com | -rw-r--r-- | 2.5 KB |
| configdata.pm.in | -rw-r--r-- | 13.7 KB |
| e_os.h | -rw-r--r-- | 9.1 KB |
Computing file changes ...
