Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Alban Crequy <alban.crequy <at> collabora.co.uk>
Subject: Possible buffer overflow on gnutls_session_get_data
Newsgroups: gmane.comp.encryption.gpg.gnutls.devel
Date: Tuesday 8th November 2011 11:55:54 UTC (over 5 years ago)
The gnutls_session_get_data function in the GnuTLS library before
3.0.6 or before 2.12.13 on the 2.12.x branch could overflow a
too-short buffer parameter allocated by the caller. The test to avoid
the buffer overflow was not working correctly.

Often the code using the GnuTLS library calls gnutls_session_get_data()
twice: the first time to get the buffer size and the second time with a
buffer allocated to the correct size. In this code pattern, there is no
buffer overflows.

But if gnutls_session_get_data() is called with a too-short buffer, the
function failed to detect it and it would overflow. I am not aware of
any code using gnutls_session_get_data() in this way. It could be that
there is no real software affected by this bug.

The size of the session data is determined by the server and it is
opaque to the client. RFC#5077 suggests it could be around 65kB but it
is not mandatory. A malicious server could send a larger SessionTicket
in the hope to overflow the client.
 
CD: 3ms