You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hc.apache.org by "Jason Mathison (Jira)" <ji...@apache.org> on 2021/11/04 13:34:00 UTC

[jira] [Commented] (HTTPCORE-694) Endless loop when encrypted buffer larger than plaintext buffer

    [ https://issues.apache.org/jira/browse/HTTPCORE-694?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17438723#comment-17438723 ] 

Jason Mathison commented on HTTPCORE-694:
-----------------------------------------

I put up a PR for the change.  I am trying to make a test, but this class currently doesn't have any unit tests, and it is proving to be quite hard to write tests for.  I will continue to work on it this morning.

> Endless loop when encrypted buffer larger than plaintext buffer
> ---------------------------------------------------------------
>
>                 Key: HTTPCORE-694
>                 URL: https://issues.apache.org/jira/browse/HTTPCORE-694
>             Project: HttpComponents HttpCore
>          Issue Type: Bug
>          Components: HttpCore
>    Affects Versions: 5.1.2, 5.2-alpha1
>            Reporter: Jason Mathison
>            Priority: Major
>             Fix For: 5.1.3, 5.2-alpha3
>
>
> We are having an issue where SSLIOSession::decryptData will effectively become an endless loop when the size of the inEncryptedBuf buffer is larger than the size of the inPlainBuf. 
> In this scenario the doUnwrap completely fills up the inPlainBuf.  This causes the 
>  if (inPlainBuf.hasRemaining())
>  to return false and never clear anything out of the inPlainBuf buffer.
> From what we can tell the 
>  if (inPlainBuf.hasRemaining()) {
> should be removed, as it is in error.  There is no reason that this buffer being full should prevent it from being emptied.
> We verified that removing this code from 5.1.2 resolved the issue we were facing, along with all tests continuing to pass.  There does not appear to be any change to this code in 5.2 alpha.
> This issue shows up when we use BouncyCastle for FIPS validated TLS, as it creates a larger inEncryptedBuf then the SUN stack.  This issue is completely reproducible when we get a large response from our endpoint. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org