Wireshark · Wireshark-commits: [Wireshark-commits] master-3.0 23803a0: TLS: fix potential buffer overflow with a malicious SSL 3.0

[Wireshark code review <code-review-do-not-reply@xxxxxxxxxxxxx>]

URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=23803a05e7d4e50301efa493892ae4cb1d19624e
Submitter: "Peter Wu <peter@xxxxxxxxxxxxx>"
Changed: branch: master-3.0
Repository: wireshark

Commits:

23803a0 by Peter Wu (peter@xxxxxxxxxxxxx):

    TLS: fix potential buffer overflow with a malicious SSL 3.0 session
    
    If a TLS 1.2 cipher suite with SHA384 was in use for a SSL 3.0 session,
    then the "dgst" buffer in ssl3_check_mac could be overwritten with 24
    bytes past the end of the buffer. To prevent this issue, restrict the
    cipher suites that can be used with SSL 3.0.
    
    I did not verify this theory with an actual capture since it is hard to
    do so. An attacker would have to (1) create a malicious, non-compliant
    implementation that (2) creates a network trace, and (3) convince the
    user to install the required decryption secrets.
    
    Bug: 15599
    Change-Id: I2204f10f46209f9473e7f2003bda8aaac634e2e2
    Reviewed-on: https://code.wireshark.org/review/32441
    Petri-Dish: Peter Wu <peter@xxxxxxxxxxxxx>
    Tested-by: Petri Dish Buildbot
    Reviewed-by: Anders Broman <a.broman58@xxxxxxxxx>
    (cherry picked from commit f73a6b4f7692700bec7da297dd425c34c6f8d081)
    Reviewed-on: https://code.wireshark.org/review/32535
    Reviewed-by: Peter Wu <peter@xxxxxxxxxxxxx>
    

Actions performed:

    from  8390593   Don't use dissector_try_uint_new() to call the subdissector.
     add  23803a0   TLS: fix potential buffer overflow with a malicious SSL 3.0 session


Summary of changes:
 epan/dissectors/packet-tls-utils.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)