diff options
| author | John Thacker <johnthacker@gmail.com> | 2023-03-09 17:28:27 -0500 |
|---|---|---|
| committer | John Thacker <johnthacker@gmail.com> | 2023-03-11 02:03:16 +0000 |
| commit | a329db7dd289d125417d32a2c10379e6a04b99dc (patch) | |
| tree | ea03864905b8dd1dc0092e1e949160038601e932 | |
| parent | 5f7122828cc3d379b447e6b4916415dc6a6dfa61 (diff) | |
TLS: Fail without exception when decrypting truncated records
On truncated TLS records, just fail when attempting to decrypt or
calculate the handshake hash instead of raising an BoundsError.
The appropriate exception will be raised later when fields are
actually added to the tree.
This only makes a difference on the first pass, especially with
unencrypted initial handshake messages, as we don't try to decrypt
or calculate the hash on the second pass.
Fix #18896
| -rw-r--r-- | epan/dissectors/packet-tls-utils.c | 2 | ||||
| -rw-r--r-- | epan/dissectors/packet-tls.c | 9 |
2 files changed, 8 insertions, 3 deletions
diff --git a/epan/dissectors/packet-tls-utils.c b/epan/dissectors/packet-tls-utils.c index d33392a906..d2d2d7fa57 100644 --- a/epan/dissectors/packet-tls-utils.c +++ b/epan/dissectors/packet-tls-utils.c @@ -10773,7 +10773,7 @@ ssl_calculate_handshake_hash(SslDecryptSession *ssl_session, tvbuff_t *tvb, guin guint32 old_length = ssl_session->handshake_data.data_len; ssl_debug_printf("Calculating hash with offset %d %d\n", offset, length); ssl_session->handshake_data.data = (guchar *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length); - if (tvb) { + if (tvb && tvb_bytes_exist(tvb, offset, length)) { tvb_memcpy(tvb, ssl_session->handshake_data.data + old_length, offset, length); } else { memset(ssl_session->handshake_data.data + old_length, 0, length); diff --git a/epan/dissectors/packet-tls.c b/epan/dissectors/packet-tls.c index cd2677dede..c2b630c0c7 100644 --- a/epan/dissectors/packet-tls.c +++ b/epan/dissectors/packet-tls.c @@ -1166,7 +1166,7 @@ decrypt_ssl3_record(tvbuff_t *tvb, packet_info *pinfo, guint32 offset, SslDecryp gboolean success; gint direction; StringInfo *data_for_iv; - gint data_for_iv_len; + gint data_for_iv_len, data_for_iv_offset; SslDecoder *decoder; /* if we can decrypt and decryption was a success @@ -1188,7 +1188,12 @@ decrypt_ssl3_record(tvbuff_t *tvb, packet_info *pinfo, guint32 offset, SslDecryp /* save data to update IV if decoder is available or updated later */ data_for_iv = (direction != 0) ? &ssl->server_data_for_iv : &ssl->client_data_for_iv; data_for_iv_len = (record_length < 24) ? record_length : 24; - ssl_data_set(data_for_iv, (const guchar*)tvb_get_ptr(tvb, offset + record_length - data_for_iv_len, data_for_iv_len), data_for_iv_len); + data_for_iv_offset = offset + record_length - data_for_iv_len; + if (!tvb_bytes_exist(tvb, data_for_iv_offset, data_for_iv_len)) { + ssl_debug_printf("decrypt_ssl3_record: record truncated\n"); + return FALSE; + } + ssl_data_set(data_for_iv, (const guchar*)tvb_get_ptr(tvb, data_for_iv_offset, data_for_iv_len), data_for_iv_len); if (!decoder) { ssl_debug_printf("decrypt_ssl3_record: no decoder available\n"); |