tls: fix out-of-bounds read in ClientHelloParser · nodejs/node@42225c3 · GitHub
Skip to content

Commit 42225c3

Browse files
tniessenRafaelGSS
tniessen
authored and
RafaelGSS
committed
tls: fix out-of-bounds read in ClientHelloParser
ClientHelloParser::ParseHeader(data, avail) potentially accesses data beyond avail bytes because it trusts the client to transmit a valid frame length. Sending an impossibly small frame length causes the TLS server to read beyond the buffer provided by the caller. Guard against this by calling End() on the ClientHelloParser when the client transmits an impossibly small frame length. The test is designed to reliable cause a segmentation fault on Linux and Windows when the buffer overrun occurs, and to trigger a spatial safety violation when compiled with an address sanitizer enabled or when running under valgrind. PR-URL: #44580 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
1 parent 9a43214 commit 42225c3

3 files changed

Lines changed: 128 additions & 0 deletions

File tree

node.gyp

Lines changed: 1 addition & 0 deletions

src/crypto/crypto_clienthello.cc

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -75,6 +75,11 @@ bool ClientHelloParser::ParseRecordHeader(const uint8_t* data, size_t avail) {
7575
void ClientHelloParser::ParseHeader(const uint8_t* data, size_t avail) {
7676
ClientHello hello;
7777

78+
// We need at least six bytes (one byte for kClientHello, three bytes for the
79+
// length of the handshake message, and two bytes for the protocol version).
80+
// If the client sent a frame that suggests a smaller ClientHello, give up.
81+
if (frame_len_ < 6) return End();
82+
7883
// >= 5 + frame size bytes for frame parsing
7984
if (body_offset_ + frame_len_ > avail)
8085
return;

test/cctest/test_crypto_clienthello.cc

Lines changed: 122 additions & 0 deletions

0 commit comments

Comments
 (0)