Blocker Description
Radovan Semancik found a bug in the SslHandler class :
Hello, Working with Apache Directory API while getting Active Directory schema over SSL uncovered a bug in Mina 2 code. The attempt to read the data ended up in endless loop caused by consecutive overflows from the SSL engine. What is worse, no indication of this condition was passed to the client. The patch is attached. -- Radovan Semancik Software Architect evolveum.com
and here is the patch :
---
.../src/main/java/org/apache/mina/filter/ssl/SslHandler.java | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/mina-core/src/main/java/org/apache/mina/filter/ssl/SslHandler.java b/mina-core/src/main/java/org/apache/mina/filter/ssl/SslHandler.java
index 973fd10..929a948 100644
--- a/mina-core/src/main/java/org/apache/mina/filter/ssl/SslHandler.java
+++ b/mina-core/src/main/java/org/apache/mina/filter/ssl/SslHandler.java
@@ -748,10 +748,16 @@ class SslHandler {
if (status == SSLEngineResult.Status.BUFFER_OVERFLOW) {
// We have to grow the target buffer, it's too small.
// Then we can call the unwrap method again
- appBuffer.capacity(sslEngine.getSession().getApplicationBufferSize());
- appBuffer.limit(appBuffer.capacity());
+ int newCapacity = sslEngine.getSession().getApplicationBufferSize();
+ if (appBuffer.remaining() >= newCapacity) {
+ // The buffer is already larger than the max buffer size suggested by the SSL engine.
+ // Raising it any more will not make sense and it will end up in an endless loop. Throwing an error is safer.
+ throw new SSLException("SSL buffer overflow");
+ }
+ appBuffer.expand(newCapacity);
continue;
}
+
} while (((status == SSLEngineResult.Status.OK) || (status == SSLEngineResult.Status.BUFFER_OVERFLOW))
&& ((handshakeStatus == SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING) || (handshakeStatus == SSLEngineResult.HandshakeStatus.NEED_UNWRAP)));
--
2.1.4