Possible Issue

classic Classic list List threaded Threaded
3 messages Options
Me
Reply | Threaded
Open this post in threaded view
|

Possible Issue

Me
possible vulnerable file: openssl-1.0.1g/ssl/d1_clnt.c
Line: 155 unsigned char sctpauthkey[64];

fixed sized arrays can be overflowed. To fix the problem, use functions that limit length, or ensure that the size is larger than the maximum possible length. It's avoid us attack like buffer overflow!

Best Regards!

Reply | Threaded
Open this post in threaded view
|

Re: Possible Issue

Michael Tuexen-4
On 14 Apr 2014, at 08:33, Me <[hidden email]> wrote:

> possible vulnerable file: openssl-1.0.1g/ssl/d1_clnt.c
> Line: 155 unsigned char sctpauthkey[64];
>
> fixed sized arrays can be overflowed. To fix the problem, use functions that limit length, or ensure that the size is larger than the maximum possible length. It's avoid us attack like buffer overflow!
Hi,

as far as I read the code, the variable sctpauthkey is filled via
SSL_export_keying_material(s, sctpauthkey, sizeof(sctpauthkey), labelbuffer, sizeof(labelbuffer), NULL, 0, 0);
which only fills in sizeof(sctpauthkey) bytes.

It is then used in
BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, sizeof(sctpauthkey), sctpauthkey);
which is also fine, I think.

The constant 64 comes from the second sentence in
https://tools.ietf.org/html/rfc6083#section-4.8

Please let me know how an overflow can happen.

Best regards
Michael
>
> Best Regards!
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Possible Issue

J. J. Farrell-2
In reply to this post by Me
From: Me [mailto:[hidden email]]
Sent: Monday, April 14, 2014 7:34 AM
>
> possible vulnerable file: openssl-1.0.1g/ssl/d1_clnt.c
> Line: 155 unsigned char sctpauthkey[64];
>
> fixed sized arrays can be overflowed.

True, but only because ALL arrays can be overflowed no matter
how they are sized or allocated.

> To fix the problem

What problem?

> use functions that limit length, or ensure that the size is
> larger than the maximum possible length.

So show us the problem. What code accesses this array without either:
- explicitly limiting the length to the length of this array; or
- never accessing more than 64 bytes?

> It's avoid us attack like buffer overflow!

To avoid buffer overflow attacks, the code must never overflow
buffers. The sizes of the buffers and the ways they are allocated
are not directly relevant.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]