On Wed, Apr 23, 2014 at 1:06 AM, Max Rottenkolber max@mr.gy wrote:
From what I understand about the bug (I have not seen the code) it sounds
like data length information
arrived both directly and indirectly in the client message and that a
conflict between them was not
scrutinized.
No. The bug was that the keep alive protocol in SSL mandates the server to echo arbitrary data back to the client. The bounds checks were wrong too, but at that stage it really doesn't matter. The design is just plain wrong.
It is a bit curious that the protocol mandates this echoing, and one could certainly debate whether this is good protocol design, but as far as the actual vulnerability goes, David's characterization is accurate. The heartbeat request arrives with some number of bytes of data attached to it, and also with a length field that tells the server how many bytes the client would like echoed back. There was no check that the client didn't request more bytes be echoed than it had actually sent.
-- Scott