URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=a616bd2d68168e8ed80b7e7917dad7266ffc6a7e
Submitter: "Peter Wu <peter@xxxxxxxxxxxxx>"
Changed: branch: master-2.6
Repository: wireshark
Commits:
a616bd2 by Peter Wu (peter@xxxxxxxxxxxxx):
TLS: fix potential buffer overflow with a malicious SSL 3.0 session
If a TLS 1.2 cipher suite with SHA384 was in use for a SSL 3.0 session,
then the "dgst" buffer in ssl3_check_mac could be overwritten with 24
bytes past the end of the buffer. To prevent this issue, restrict the
cipher suites that can be used with SSL 3.0.
I did not verify this theory with an actual capture since it is hard to
do so. An attacker would have to (1) create a malicious, non-compliant
implementation that (2) creates a network trace, and (3) convince the
user to install the required decryption secrets.
Bug: 15599
Change-Id: I2204f10f46209f9473e7f2003bda8aaac634e2e2
Reviewed-on: https://code.wireshark.org/review/32441
Petri-Dish: Peter Wu <peter@xxxxxxxxxxxxx>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@xxxxxxxxx>
(cherry picked from commit f73a6b4f7692700bec7da297dd425c34c6f8d081)
Reviewed-on: https://code.wireshark.org/review/32536
Reviewed-by: Peter Wu <peter@xxxxxxxxxxxxx>
Actions performed:
from 65812b4 Don't use dissector_try_uint_new() to call the subdissector.
add a616bd2 TLS: fix potential buffer overflow with a malicious SSL 3.0 session
Summary of changes:
epan/dissectors/packet-ssl-utils.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)