Uploaded image for project: 'MINA'
  1. MINA
  2. DIRMINA-1023

Infinite loop in SslHandler when the AppBuffer is too small

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 2.0.10
    • Fix Version/s: 2.0.11
    • Component/s: SSL
    • Labels:
      None

      Description

      Radovan Semancik found a bug in the SslHandler class :

      Hello,
      
      Working with Apache Directory API while getting Active Directory schema over SSL uncovered a bug in Mina 2 code. The attempt to read the data ended up in endless loop caused by consecutive overflows from the SSL engine. What is worse, no indication of this condition was passed to the client. The patch is attached.
      
      -- 
      Radovan Semancik
      Software Architect
      evolveum.com
      

      and here is the patch :

      ---
       .../src/main/java/org/apache/mina/filter/ssl/SslHandler.java   | 10 ++++++++--
       1 file changed, 8 insertions(+), 2 deletions(-)
      
      diff --git a/mina-core/src/main/java/org/apache/mina/filter/ssl/SslHandler.java b/mina-core/src/main/java/org/apache/mina/filter/ssl/SslHandler.java
      index 973fd10..929a948 100644
      --- a/mina-core/src/main/java/org/apache/mina/filter/ssl/SslHandler.java
      +++ b/mina-core/src/main/java/org/apache/mina/filter/ssl/SslHandler.java
      @@ -748,10 +748,16 @@ class SslHandler {
                   if (status == SSLEngineResult.Status.BUFFER_OVERFLOW) {
                       // We have to grow the target buffer, it's too small.
                       // Then we can call the unwrap method again
      -                appBuffer.capacity(sslEngine.getSession().getApplicationBufferSize());
      -                appBuffer.limit(appBuffer.capacity());
      +                int newCapacity = sslEngine.getSession().getApplicationBufferSize();
      +                if (appBuffer.remaining() >= newCapacity) {
      +                    // The buffer is already larger than the max buffer size suggested by the SSL engine.
      +                    // Raising it any more will not make sense and it will end up in an endless loop. Throwing an error is safer.
      +                    throw new SSLException("SSL buffer overflow");
      +                }
      +                appBuffer.expand(newCapacity);
                       continue;
                   }
      +            
               } while (((status == SSLEngineResult.Status.OK) || (status == SSLEngineResult.Status.BUFFER_OVERFLOW))
                       && ((handshakeStatus == SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING) || (handshakeStatus == SSLEngineResult.HandshakeStatus.NEED_UNWRAP)));
       
      -- 
      2.1.4
      

        Activity

        Hide
        elecharny Emmanuel Lecharny added a comment -

        Patch applied with commit 26c894d992d8581db966e161ea35e87f6670350d

        Show
        elecharny Emmanuel Lecharny added a comment - Patch applied with commit 26c894d992d8581db966e161ea35e87f6670350d

          People

          • Assignee:
            Unassigned
            Reporter:
            elecharny Emmanuel Lecharny
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development