Full Disclosure mailing list archives
Re: heartbleed OpenSSL bug CVE-2014-0160
From: Ricardo Iramar dos Santos <riramar () gmail com>
Date: Fri, 11 Apr 2014 12:21:40 -0300
I think that I found the answer for my question on the RFCs 6520 on page 5 ( https://tools.ietf.org/html/rfc6520#page-5) and 6066 page 8 ( https://tools.ietf.org/html/rfc6066#page-8). Take a look on the RFC6520 on page 5: The total length of a HeartbeatMessage MUST NOT exceed 2^14 or max_fragment_length when negotiated as defined in [RFC6066]. Now let's take a look on RFC6066 page 8: Without this extension, TLS specifies a fixed maximum plaintext fragment length of 2^14 bytes. It may be desirable for constrained clients to negotiate a smaller maximum fragment length due to memory limitations or bandwidth limitations. I think the idea to have the client setting a SMALLER length is just for in case of memory or bandwidth limits. I had this in my mind because if there wasn't a reasonable explanation for the client set the length it could be that the developer malicious intention to include this bug. Anyway, I was thinking wrong since we have the reason on the RFCs. Thanks Ricardo Iramar On Fri, Apr 11, 2014 at 12:09 AM, Ricardo Iramar dos Santos < riramar () gmail com> wrote:
Reading this post http://vrt-blog.snort.org/2014/04/heartbleed-memory-disclosure-upgrade.htmlit's saying "This is the length indicated by the SSL client for the heartbeat payload". Why the client should set the length of a payload? Why not have a fix or some values? Sorry but I'm a not C developer and I didn't get the idea of this. "Finally (and here's the critical part), using the size supplied by the attacker rather than its actual length, it copies the request payload bytes to the response buffer." On Thu, Apr 10, 2014 at 9:17 PM, Michal Zalewski <lcamtuf () coredump cx>wrote:http://m.smh.com.au/it-pro/security-it/man-who-introduced-serious-heartbleed-security-flaw-denies-he-inserted-it-deliberately-20140410-zqta1.html "Man who introduced serious 'Heartbleed' security flaw denies he inserted it deliberately" Wow, we're climbing to some new levels here. /mz _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Re: heartbleed OpenSSL bug CVE-2014-0160, (continued)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Ivan .Heca (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Brandon Perry (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Marco Davids (priv) (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Juergen Christoffel (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Paul Vixie (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Michal Zalewski (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Ferenc Kovacs (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Manuel Tiago Pereira (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Schmidt, Michael (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Afonso Araújo Neto (Apr 11)
- Message not available
- Re: heartbleed OpenSSL bug CVE-2014-0160 Ricardo Iramar dos Santos (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 HaCKsPy (Apr 11)
- Andrew "Weev" Auernheimer's Conviction Thrown Out g () 1337 io (Apr 11)
- Re: Andrew "Weev" Auernheimer's Conviction Thrown Out Jeffrey Paul (Apr 11)
- Re: Andrew "Weev" Auernheimer's Conviction Thrown Out Groundworks Technologies Advisories (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Michal Zalewski (Apr 11)