]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
projects / thirdparty / gnutls.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9649e89)
session_pack: validate session_id_size on unpacking
authorAlexander Sosedkin <asosedkin@redhat.com>
Tue, 7 Apr 2026 08:16:03 +0000 (10:16 +0200)
committerAlexander Sosedkin <asosedkin@redhat.com>
Wed, 29 Apr 2026 14:26:23 +0000 (16:26 +0200)
A check for session_id_size not exceeding GNUTLS_MAX_SESSION_ID_SIZE
on loading persisted TLS session data was overlooked,
leading to a heap overflow
were the data corrupted in a malicious manner.

Reported-by: Haruto Kimura (Stella)
Fixes: #1817
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
lib/session_pack.c patch | blob | blame | history

diff --git a/lib/session_pack.c b/lib/session_pack.c
index e54917bd78fee05cd118722c3c1f913efa3cc2e7..4cd788e2155b83f70ceaea925a3f6eed20a593ea 100644 (file)
--- a/lib/session_pack.c
+++ b/lib/session_pack.c
@@ -973,6 +973,10 @@ static int unpack_security_parameters(gnutls_session_t session,
                &session->internals.resumed_security_parameters.session_id_size,
                1);
 
+       if (session->internals.resumed_security_parameters.session_id_size >
+           GNUTLS_MAX_SESSION_ID_SIZE)
+               return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
        BUFFER_POP(
                ps, session->internals.resumed_security_parameters.session_id,
                session->internals.resumed_security_parameters.session_id_size);
Mirror of https://gitlab.com/gnutls/gnutls.git