Uploaded image for project: 'MINA'
  1. MINA
  2. DIRMINA-1023

Infinite loop in SslHandler when the AppBuffer is too small

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 2.0.10
    • Fix Version/s: 2.0.11
    • Component/s: SSL
    • Labels:
      None

      Description

      Radovan Semancik found a bug in the SslHandler class :

      Hello,
      
      Working with Apache Directory API while getting Active Directory schema over SSL uncovered a bug in Mina 2 code. The attempt to read the data ended up in endless loop caused by consecutive overflows from the SSL engine. What is worse, no indication of this condition was passed to the client. The patch is attached.
      
      -- 
      Radovan Semancik
      Software Architect
      evolveum.com
      

      and here is the patch :

      ---
       .../src/main/java/org/apache/mina/filter/ssl/SslHandler.java   | 10 ++++++++--
       1 file changed, 8 insertions(+), 2 deletions(-)
      
      diff --git a/mina-core/src/main/java/org/apache/mina/filter/ssl/SslHandler.java b/mina-core/src/main/java/org/apache/mina/filter/ssl/SslHandler.java
      index 973fd10..929a948 100644
      --- a/mina-core/src/main/java/org/apache/mina/filter/ssl/SslHandler.java
      +++ b/mina-core/src/main/java/org/apache/mina/filter/ssl/SslHandler.java
      @@ -748,10 +748,16 @@ class SslHandler {
                   if (status == SSLEngineResult.Status.BUFFER_OVERFLOW) {
                       // We have to grow the target buffer, it's too small.
                       // Then we can call the unwrap method again
      -                appBuffer.capacity(sslEngine.getSession().getApplicationBufferSize());
      -                appBuffer.limit(appBuffer.capacity());
      +                int newCapacity = sslEngine.getSession().getApplicationBufferSize();
      +                if (appBuffer.remaining() >= newCapacity) {
      +                    // The buffer is already larger than the max buffer size suggested by the SSL engine.
      +                    // Raising it any more will not make sense and it will end up in an endless loop. Throwing an error is safer.
      +                    throw new SSLException("SSL buffer overflow");
      +                }
      +                appBuffer.expand(newCapacity);
                       continue;
                   }
      +            
               } while (((status == SSLEngineResult.Status.OK) || (status == SSLEngineResult.Status.BUFFER_OVERFLOW))
                       && ((handshakeStatus == SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING) || (handshakeStatus == SSLEngineResult.HandshakeStatus.NEED_UNWRAP)));
       
      -- 
      2.1.4
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              elecharny Emmanuel Lecharny
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: