You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@mina.apache.org by "Terence Marks (JIRA)" <ji...@apache.org> on 2015/07/28 09:18:04 UTC

[jira] [Created] (DIRMINA-1017) SSLEngine BUFFER_OVERFLOW (unwrap)

Terence Marks created DIRMINA-1017:
--------------------------------------

             Summary: SSLEngine BUFFER_OVERFLOW (unwrap)
                 Key: DIRMINA-1017
                 URL: https://issues.apache.org/jira/browse/DIRMINA-1017
             Project: MINA
          Issue Type: Bug
          Components: SSL
    Affects Versions: 2.0.9
         Environment: Android
            Reporter: Terence Marks
             Fix For: 2.0.10


I've discovered an issue with the SslHandler class when the unwrap method is called on the local SSLEngine member (SslHandler.sslEngine). 

If the returned status is SSLEngineResult.Status.BUFFER_OVERFLOW, the capacity of the output buffer (SslHandler.appBuffer) can be increased to a size which still may is not large enough for the result.

I have reproduced this issue consistently by sending a 4k frame over TLS1.2 to an android device. The frame gets heavily fragmented, sometimes into 6 frames, and the SSLEngine does not unwrap the frame until all the bytes have been received (since the hash is based on the entire frame).

Since the frame gets heavily fragmented, the last segment of the frame can be lower than 2048 bytes. Hence by increasing the capacity by << 1, the output buffer will still be under the required size. (Have a look through SslHandler source for "appBuffer.capacity(appBuffer.capacity() << 1);")

Anyway, the fix is really easy. Change the line:
appBuffer.capacity(appBuffer.capacity() << 1);

to:
appBuffer.capacity(sslEngine.getSession().getApplicationBufferSize());

This is actually in the java docs (http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLEngine.html) for the overflow buffer case.

Hope this helps,
Terence



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)