ssl: check for minimal SSLv3/TLS record size

When a TLS record is fragmented over multiple TCP segments, with its
first byte in one segment, and the remainder over the others,
ssl_looks_like_sslv3() throws an exception because it tries to access
the third byte.

This breaks the encryption state, resulting in very weird (scrambled)
decrypted data. To fix this, check the record size before using it. Also
add TLSv1.1 and TLSv1.2 as known version.

Change-Id: Ie0ca78302a5d6c4241ea699d2ef6f7b873dd51ee
Reviewed-on: https://code.wireshark.org/review/7234
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>

1 files changed, 15 insertions, 0 deletions

diff --git a/epan/dissectors/packet-ssl.c b/epan/dissectors/packet-ssl.c
index 6327743951..c956605249 100644
--- a/epan/dissectors/packet-ssl.c
+++ b/epan/dissectors/packet-ssl.c
@@ -663,6 +663,21 @@ dissect_ssl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
 
         case SSL_VER_SSLv3:
         case SSL_VER_TLS:
+        case SSL_VER_TLSv1DOT1:
+        case SSL_VER_TLSv1DOT2:
+            /* SSLv3/TLS record headers need at least 1+2+2 = 5 bytes. */
+            if (tvb_reported_length_remaining(tvb, offset) < 5) {
+                if (ssl_desegment && pinfo->can_desegment) {
+                    pinfo->desegment_offset = offset;
+                    pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
+                    need_desegmentation = TRUE;
+                } else {
+                    /* Not enough bytes available. Stop here. */
+                    offset = tvb_reported_length(tvb);
+                }
+                break;
+            }
+
             /* the version tracking code works too well ;-)
              * at times, we may visit a v2 client hello after
              * we already know the version of the connection;