You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2017/12/31 14:44:11 UTC

[Bug 61948] New: BufferUnderflowException and IllegalArgumentException in TLSClientHelloExtractor

https://bz.apache.org/bugzilla/show_bug.cgi?id=61948

            Bug ID: 61948
           Summary: BufferUnderflowException and IllegalArgumentException
                    in TLSClientHelloExtractor
           Product: Tomcat 9
           Version: 9.0.2
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Util
          Assignee: dev@tomcat.apache.org
          Reporter: katzyn@gmail.com
  Target Milestone: -----

I found two similar exceptions in system journal.

1:22:10 org.apache.tomcat.util.net.NioEndpoint$SocketProcessor doRun
SEVERE: 
java.nio.BufferUnderflowException
at java.base/java.nio.Buffer.nextGetIndex(Buffer.java:634)
at java.base/java.nio.HeapByteBuffer.getChar(HeapByteBuffer.java:299)
at
org.apache.tomcat.util.net.TLSClientHelloExtractor.<init>(TLSClientHelloExtractor.java:110)
at
org.apache.tomcat.util.net.SecureNioChannel.processSNI(SecureNioChannel.java:282)
at
org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:175)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1353)
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:844)

1:22:11 org.apache.tomcat.util.net.NioEndpoint$SocketProcessor doRun
SEVERE: 
java.lang.IllegalArgumentException: newPosition > limit: (34392 > 248)
at java.base/java.nio.Buffer.createPositionException(Buffer.java:313)
at java.base/java.nio.Buffer.position(Buffer.java:288)
at java.base/java.nio.ByteBuffer.position(ByteBuffer.java:1079)
at java.base/java.nio.ByteBuffer.position(ByteBuffer.java:260)
at
org.apache.tomcat.util.net.TLSClientHelloExtractor.skipBytes(TLSClientHelloExtractor.java:250)
at
org.apache.tomcat.util.net.TLSClientHelloExtractor.<init>(TLSClientHelloExtractor.java:141)
at
org.apache.tomcat.util.net.SecureNioChannel.processSNI(SecureNioChannel.java:282)
at
org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:175)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1353)
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:844)

It seems that TLSClientHelloExtractor doesn't have enough checks for sanity of
received client hello message.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 61948] BufferUnderflowException and IllegalArgumentException in TLSClientHelloExtractor

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=61948

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #5 from Mark Thomas <ma...@apache.org> ---
Fixed in:
- trunk for 9.0.3 onwards
- 8.5.x for 8.5.25 onwards

Earlier versions are not affected as SNI is not supported.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 61948] BufferUnderflowException and IllegalArgumentException in TLSClientHelloExtractor

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=61948

--- Comment #3 from Evgenij Ryazanov <ka...@gmail.com> ---
I don't know the source of requests from system journal. I think that both
requests were ill-formed. They may even be specially crafted. I agree that
simple try-catch will be more efficient and reasonable than a lot of additional
checks.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 61948] BufferUnderflowException and IllegalArgumentException in TLSClientHelloExtractor

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=61948

--- Comment #7 from Mark Thomas <ma...@apache.org> ---
FYI I went through the SNI parsing code manually and as far as I could tell the
two provided test cases covered the two possible exception types for malformed
input. There was the possibility of an IndexOutOfBoundsException but the input
that could trigger that is not under user control and the values Tomcat
provides will never trigger it.

Of course, I could have missed something so any additional test cases would be
welcome.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 61948] BufferUnderflowException and IllegalArgumentException in TLSClientHelloExtractor

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=61948

--- Comment #6 from Remy Maucherat <re...@apache.org> ---
This is the way I was planning to do it, so good.
Evgenij, please let us know if you find any legitimate TLS records that would
cause an exception (the debug level will now hide the fact the connection is
being closed, so it would be best to fix them now).

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 61948] BufferUnderflowException and IllegalArgumentException in TLSClientHelloExtractor

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=61948

--- Comment #1 from Evgenij Ryazanov <ka...@gmail.com> ---
The following simple code causes BufferUnderflowException in
TLSClientHelloExtractor.isClientHello() and IllegalArgumentException in
TLSClientHelloExtractor.skipBytes().

import java.io.OutputStream;
import java.net.Socket;
import javax.net.SocketFactory;

byte[][] data = {
{ /* TLS handshake */ 22, /* TLS 1.0 */ 3, 1, /* Length 0 */ 0, 0 },
{ /* TLS handshake */ 22, /* TLS 1.0 */ 3, 1, /* Length 4 */ 0, 4, /* Type 1 */
1, /* Size 0 */ 0, 0, 0 },
};

for (byte[] a : data)
  try (Socket s = SocketFactory.getDefault().createSocket("hostname", 443);
       OutputStream out = s.getOutputStream()) {
    out.write(a);
  }

There are many ways to get exceptions with larger ill-formed packets.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 61948] BufferUnderflowException and IllegalArgumentException in TLSClientHelloExtractor

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=61948

--- Comment #4 from Mark Thomas <ma...@apache.org> ---
If the code were to throw an IOException on a malformed ClientHello then a
debug log message would be generated as required.

I'm going to look at turning simple code to reproduce into a test case and then
fixing the issue.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 61948] BufferUnderflowException and IllegalArgumentException in TLSClientHelloExtractor

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=61948

--- Comment #2 from Remy Maucherat <re...@apache.org> ---
Do you have any exceptions for legitimate TLS records ? If not, instead of
validating all reads, it is reasonable to catch the exceptions and log as debug
instead. I reviewed the code and it seems to properly validate the lengths, it
requests more data, etc.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org