From e6487ab490edbc28618270164ca0503bb02018ea Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 6 Jun 2022 14:54:58 -0400 Subject: [PATCH] Add a changelog entry for the cookie parsing bounds bug Co-authored-by: Gilles Peskine Signed-off-by: Andrzej Kurek --- ChangeLog.d/cookie_parsing_bug.txt | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 ChangeLog.d/cookie_parsing_bug.txt diff --git a/ChangeLog.d/cookie_parsing_bug.txt b/ChangeLog.d/cookie_parsing_bug.txt new file mode 100644 index 000000000..a5f5875d3 --- /dev/null +++ b/ChangeLog.d/cookie_parsing_bug.txt @@ -0,0 +1,11 @@ +Security + * Fix a buffer overread in DTLS ClientHello parsing in servers with + MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled. An unauthenticated client + or a man-in-the-middle could cause a DTLS server to read up to 255 bytes + after the end of the SSL input buffer. The buffer overread only happens + when MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that depends on + the exact configuration: 258 bytes if using mbedtls_ssl_cookie_check(), + and possibly up to 571 bytes with a custom cookie check function. + If the function provider deliberately omits these size checks, he/she + is responsible for the negative impact on his/her code. + Reported by the Cybeats PSI Team.