From: Willy Tarreau Date: Fri, 25 Apr 2014 21:59:58 +0000 (+0200) Subject: MINOR: ssl: finally catch the heartbeats missing the padding X-Git-Tag: v1.5-dev24~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aeed672a6d2667024b0be5e142301ce212fdf086;p=thirdparty%2Fhaproxy.git MINOR: ssl: finally catch the heartbeats missing the padding Previous patch only focused on parsing the packet right and blocking it, so it relaxed one test on the packet length. The difference is not usable for attacking but the logs will not report an attack for such cases, which is probably bad. Better report all known invalid packets cases. --- diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 4a9d04e854..473c3c93c0 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -199,13 +199,13 @@ void ssl_sock_msgcbk(int write_p, int version, int content_type, const void *buf if (*p != TLS1_HB_REQUEST) return; - if (len < 3) + if (len < 1 + 2 + 16) /* 1 type + 2 size + 0 payload + 16 padding */ goto kill_it; payload = (p[1] * 256) + p[2]; if (3 + payload + 16 <= len) return; /* OK no problem */ - + kill_it: /* We have a clear heartbleed attack (CVE-2014-0160), the * advertised payload is larger than the advertised packet * length, so we have garbage in the buffer between the @@ -218,7 +218,6 @@ void ssl_sock_msgcbk(int write_p, int version, int content_type, const void *buf * above as SSL_ERROR_SSL while an other handshake failure with * a heartbeat message will be reported as SSL_ERROR_SYSCALL. */ - kill_it: ssl->max_send_fragment = 0; SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_SSL_HANDSHAKE_FAILURE); return;