[gnutls-devel] GnuTLS | record_size_limit extension (!733)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Mon Aug 20 10:21:10 CEST 2018


Nikos Mavrogiannopoulos started a new discussion on lib/ext/record_size_limit.c:

> +};
> +
> +static int
> +_gnutls_record_size_limit_recv_params(gnutls_session_t session,
> +				      const uint8_t * data, size_t _data_size)
> +{
> +	ssize_t new_size;
> +	ssize_t data_size = _data_size;
> +
> +	DECR_LEN(data_size, 2);
> +	new_size = _gnutls_read_uint16(data);
> +
> +	/* treat receipt of a smaller value as a fatal error */
> +	if (new_size < 64)
> +		return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
> +

64 feels way too small for normal applications, and looks more likely to be used as an attack vector especially if the server needs to transfer gigabytes of data. What if we ignore values less than 512 (the previous min value), and allow overriding with a gnutls_init flag (e.g., `ALLOW_TINY_RECORDS`)?

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/733#note_95445700
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20180820/8423d468/attachment-0001.html>


More information about the Gnutls-devel mailing list