forked from osmocom/wireshark
SSL: dynamically allocate session ticket storage area to avoid buffer overflow
Fixes bug 9825 Change-Id: I20ae65331ec11b2f6774054df4c026fd5fa76d3a Reviewed-on: https://code.wireshark.org/review/447 Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Pascal Quantin <pascal.quantin@gmail.com>
This commit is contained in:
parent
2ab72685fb
commit
5fc9db83cf
|
@ -3715,7 +3715,7 @@ ssl_session_init(SslDecryptSession* ssl_session)
|
|||
ssl_session->session_id.data = ssl_session->_session_id;
|
||||
ssl_session->client_random.data = ssl_session->_client_random;
|
||||
ssl_session->server_random.data = ssl_session->_server_random;
|
||||
ssl_session->session_ticket.data = ssl_session->_session_ticket;
|
||||
ssl_session->session_ticket.data = NULL;
|
||||
ssl_session->session_ticket.data_len = 0;
|
||||
ssl_session->master_secret.data_len = 48;
|
||||
ssl_session->server_data_for_iv.data_len = 0;
|
||||
|
@ -4855,6 +4855,8 @@ ssl_dissect_hnd_hello_ext_session_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb
|
|||
if(is_client && ssl && ext_len != 0)
|
||||
{
|
||||
/*save the ticket on the ssl opaque so that we can use it as key on server hello */
|
||||
ssl->session_ticket.data = (guchar*)wmem_realloc(wmem_file_scope(),
|
||||
ssl->session_ticket.data, ext_len);
|
||||
tvb_memcpy(tvb,ssl->session_ticket.data, offset, ext_len);
|
||||
ssl->session_ticket.data_len = ext_len;
|
||||
}
|
||||
|
|
|
@ -334,7 +334,6 @@ typedef struct {
|
|||
typedef struct _SslDecryptSession {
|
||||
guchar _master_secret[48];
|
||||
guchar _session_id[256];
|
||||
guchar _session_ticket[1024];
|
||||
guchar _client_random[32];
|
||||
guchar _server_random[32];
|
||||
StringInfo session_id;
|
||||
|
|
|
@ -2533,6 +2533,8 @@ dissect_ssl3_hnd_new_ses_ticket(tvbuff_t *tvb, proto_tree *tree,
|
|||
|
||||
/* save the session ticket to cache */
|
||||
if(ssl){
|
||||
ssl->session_ticket.data = (guchar*)wmem_realloc(wmem_file_scope(),
|
||||
ssl->session_ticket.data, session_ticket_length);
|
||||
tvb_memcpy(tvb,ssl->session_ticket.data, offset, session_ticket_length);
|
||||
ssl->session_ticket.data_len = session_ticket_length;
|
||||
ssl_save_session_ticket(ssl, ssl_session_hash);
|
||||
|
|
Loading…
Reference in New Issue