Subject: Possible buffer overflow on gnutls_session_get_data
Date: Tuesday 8th November 2011 11:55:54 UTC (over 5 years ago)
The gnutls_session_get_data function in the GnuTLS library before 3.0.6 or before 2.12.13 on the 2.12.x branch could overflow a too-short buffer parameter allocated by the caller. The test to avoid the buffer overflow was not working correctly. Often the code using the GnuTLS library calls gnutls_session_get_data() twice: the first time to get the buffer size and the second time with a buffer allocated to the correct size. In this code pattern, there is no buffer overflows. But if gnutls_session_get_data() is called with a too-short buffer, the function failed to detect it and it would overflow. I am not aware of any code using gnutls_session_get_data() in this way. It could be that there is no real software affected by this bug. The size of the session data is determined by the server and it is opaque to the client. RFC#5077 suggests it could be around 65kB but it is not mandatory. A malicious server could send a larger SessionTicket in the hope to overflow the client.