Merge branch 'ia/ssl/denial-of-service/OTP-9364' into dev

* ia/ssl/denial-of-service/OTP-9364: Prevention of denial of service attack
author: Ingela Anderton Andin <[email protected]> 2011-06-09 12:18:34 +0200
committer: Ingela Anderton Andin <[email protected]> 2011-06-09 12:18:34 +0200
commit: 751ec4f918bed2f5455538e6296c6b925bcca002 (patch)
tree: d983ce771c1a96a89a96abbf7fca46fb00fc5708 /lib
parent: 3b818d5ec09cd2bb4c650776b898af9206f13c68 (diff)
parent: 8f74c4a943269ab5eb1e6177282e5fb8c765d3b7 (diff)
download: otp-751ec4f918bed2f5455538e6296c6b925bcca002.tar.gz
otp-751ec4f918bed2f5455538e6296c6b925bcca002.tar.bz2
otp-751ec4f918bed2f5455538e6296c6b925bcca002.zip
3 files changed, 52 insertions, 7 deletions
diff --git a/lib/ssl/src/ssl_record.erl b/lib/ssl/src/ssl_record.erl
index f1c0073965..4c3c0b9c58 100644
--- a/lib/ssl/src/ssl_record.erl
+++ b/lib/ssl/src/ssl_record.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2010. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2011. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -62,6 +62,8 @@
 
 -compile(inline).
 
+-define(INITIAL_BYTES, 5).
+
 %%====================================================================
 %% Internal application API
 %%====================================================================
@@ -360,16 +362,20 @@ get_tls_records_aux(<<1:1, Length0:15, Data0:Length0/binary, Rest/binary>>,
 
 get_tls_records_aux(<<0:1, _CT:7, ?BYTE(_MajVer), ?BYTE(_MinVer),
                      ?UINT16(Length), _/binary>>,
-                    _Acc) when Length > ?MAX_CIPHER_TEXT_LENGTH->
+                    _Acc) when Length > ?MAX_CIPHER_TEXT_LENGTH ->
     ?ALERT_REC(?FATAL, ?RECORD_OVERFLOW);
 
 get_tls_records_aux(<<1:1, Length0:15, _/binary>>,_Acc) 
-  when Length0 > ?MAX_CIPHER_TEXT_LENGTH->
+  when Length0 > ?MAX_CIPHER_TEXT_LENGTH ->
     ?ALERT_REC(?FATAL, ?RECORD_OVERFLOW);
 
 get_tls_records_aux(Data, Acc) ->
-    {lists:reverse(Acc), Data}.
-
+    case size(Data) =< ?MAX_CIPHER_TEXT_LENGTH + ?INITIAL_BYTES of
+	true ->
+	    {lists:reverse(Acc), Data};
+	false ->
+	    ?ALERT_REC(?FATAL, ?UNEXPECTED_MESSAGE)
+	end.
 %%--------------------------------------------------------------------
 -spec protocol_version(tls_atom_version() | tls_version()) -> 
 			      tls_version() | tls_atom_version().		      
diff --git a/lib/ssl/test/Makefile b/lib/ssl/test/Makefile
index 53b2223035..5be07cad2c 100644
--- a/lib/ssl/test/Makefile
+++ b/lib/ssl/test/Makefile
@@ -61,8 +61,10 @@ HRL_FILES = ssl_test_MACHINE.hrl
 
 HRL_FILES_SRC = \
 	ssl_int.hrl \
+	ssl_internal.hrl\
 	ssl_alert.hrl \
-	ssl_handshake.hrl
+	ssl_handshake.hrl \
+	ssl_record.hrl
 
 HRL_FILES_INC = 
 
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index ec287ed803..ecb5228a8b 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -30,6 +30,8 @@
 
 -include("ssl_alert.hrl").
 -include("ssl_int.hrl").
+-include("ssl_internal.hrl").
+-include("ssl_record.hrl").
 
 -define('24H_in_sec', 86400).  
 -define(TIMEOUT, 60000).
@@ -209,7 +211,7 @@ all() ->
      controller_dies, client_closes_socket, peercert,
      connect_dist, peername, sockname, socket_options,
      misc_ssl_options, versions, cipher_suites, upgrade,
-     upgrade_with_timeout, tcp_connect, ipv6, ekeyfile,
+     upgrade_with_timeout, tcp_connect, tcp_connect_big, ipv6, ekeyfile,
      ecertfile, ecacertfile, eoptions, shutdown,
      shutdown_write, shutdown_both, shutdown_error,
      ciphers_rsa_signed_certs, ciphers_rsa_signed_certs_ssl3,
@@ -1097,6 +1099,41 @@ tcp_connect(Config) when is_list(Config) ->
 	    end
     end.
 
+tcp_connect_big(doc) ->
+    ["Test what happens when a tcp tries to connect, i,e. a bad big (ssl) packet is sent first"];
+
+tcp_connect_big(suite) ->
+    [];
+
+tcp_connect_big(Config) when is_list(Config) ->
+    ServerOpts = ?config(server_opts, Config),
+    {_, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    TcpOpts = [binary, {reuseaddr, true}],
+
+    Server = ssl_test_lib:start_upgrade_server([{node, ServerNode}, {port, 0},
+						{from, self()},
+						{timeout, 5000},
+						{mfa, {?MODULE, dummy, []}},
+						{tcp_options, TcpOpts},
+						{ssl_options, ServerOpts}]),
+    Port = ssl_test_lib:inet_port(Server),
+
+    {ok, Socket} = gen_tcp:connect(Hostname, Port, [binary, {packet, 0}]),
+    test_server:format("Testcase ~p connected to Server ~p ~n", [self(), Server]),
+
+    Rand = crypto:rand_bytes(?MAX_CIPHER_TEXT_LENGTH+1),
+    gen_tcp:send(Socket, <<?BYTE(0),
+			   ?BYTE(3), ?BYTE(1), ?UINT16(?MAX_CIPHER_TEXT_LENGTH), Rand/binary>>),
+
+    receive
+	{tcp_closed, Socket} ->
+	    receive
+		{Server, {error, timeout}} ->
+		    test_server:fail("hangs");
+		{Server, {error, Error}} ->
+		    test_server:format("Error ~p", [Error])
+	    end
+    end.
 
 dummy(_Socket) ->
     %% Should not happen as the ssl connection will not be established
author	Ingela Anderton Andin <[email protected]>	2011-06-09 12:18:34 +0200
committer	Ingela Anderton Andin <[email protected]>	2011-06-09 12:18:34 +0200
commit	751ec4f918bed2f5455538e6296c6b925bcca002 (patch)
tree	d983ce771c1a96a89a96abbf7fca46fb00fc5708 /lib
parent	3b818d5ec09cd2bb4c650776b898af9206f13c68 (diff)
parent	8f74c4a943269ab5eb1e6177282e5fb8c765d3b7 (diff)
download	otp-751ec4f918bed2f5455538e6296c6b925bcca002.tar.gz otp-751ec4f918bed2f5455538e6296c6b925bcca002.tar.bz2 otp-751ec4f918bed2f5455538e6296c6b925bcca002.zip