diff options
| author | Peter Wu <peter@lekensteyn.nl> | 2017-02-14 11:18:24 +0100 |
|---|---|---|
| committer | Peter Wu <peter@lekensteyn.nl> | 2017-02-15 12:19:40 +0000 |
| commit | bb1450b017226b0da892c7c3ebba0fe1621e38d9 (patch) | |
| tree | 2b87694692e7ae756873aad0dbe5a447b4b9f9f5 /epan/dissectors/packet-ssl-utils.c | |
| parent | efcb5c07f04210ee89e57347c867a64d3486ebc4 (diff) | |
| download | wireshark-bb1450b017226b0da892c7c3ebba0fe1621e38d9.tar.gz | |
ssl,dtls: fix wrong expert info for overly large records
The plaintext length is limited to 2^14, but the actual record length
(TLSCiphertext) may be larger due to expansion from compression and the
cipher (like AEAD auth tags). The wrong check led to false expert infos.
Change-Id: I3a56f1b0af05ecc1d97c4f1f0bcf35ff4d0fad42
Fixes: v2.3.0rc0-1584-gff0371e898 ("ssl,dtls: add expert info for overly large record lengths")
Reviewed-on: https://code.wireshark.org/review/20099
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Diffstat (limited to 'epan/dissectors/packet-ssl-utils.c')
| -rw-r--r-- | epan/dissectors/packet-ssl-utils.c | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c index 28b49aaa61..23a348af0b 100644 --- a/epan/dissectors/packet-ssl-utils.c +++ b/epan/dissectors/packet-ssl-utils.c @@ -6669,6 +6669,29 @@ ssl_try_set_version(SslSession *session, SslDecryptSession *ssl, } } +void +ssl_check_record_length(ssl_common_dissect_t *hf, packet_info *pinfo, + guint record_length, proto_item *length_pi, + guint16 version, tvbuff_t *decrypted_tvb) +{ + guint max_expansion; + if (version == TLSV1DOT3_VERSION) { + /* TLS 1.3: Max length is 2^14 + 256 */ + max_expansion = 256; + } else { + /* RFC 5246, Section 6.2.3: TLSCiphertext.fragment length MUST NOT exceed 2^14 + 2048 */ + max_expansion = 2048; + } + if (record_length > TLS_MAX_RECORD_LENGTH + max_expansion) { + expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid, + "TLSCiphertext length MUST NOT exceed 2^14 + %u", max_expansion); + } + if (decrypted_tvb && tvb_captured_length(decrypted_tvb) > TLS_MAX_RECORD_LENGTH) { + expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid, + "TLSPlaintext length MUST NOT exceed 2^14"); + } +} + static void ssl_set_cipher(SslDecryptSession *ssl, guint16 cipher) { |