# HG changeset patch # User xuelei # Date 1566244608 25200 # Node ID 7cc5a5b4eee99fb519619e1e9a5cb00a551ae437 # Parent f0c73a5683e787b2d3ae6751c802e17d57c8a581 8228757: Fail fast if the handshake type is unknown Reviewed-by: jnimeh diff -r f0c73a5683e7 -r 7cc5a5b4eee9 src/java.base/share/classes/sun/security/ssl/DTLSInputRecord.java --- a/src/java.base/share/classes/sun/security/ssl/DTLSInputRecord.java Mon Aug 19 19:58:50 2019 +0200 +++ b/src/java.base/share/classes/sun/security/ssl/DTLSInputRecord.java Mon Aug 19 12:56:48 2019 -0700 @@ -359,7 +359,19 @@ return null; } + // Fail fast for unknown handshake message. byte handshakeType = plaintextFragment.get(); // pos: 0 + if (!SSLHandshake.isKnown(handshakeType)) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { + SSLLogger.fine("Discard invalid record: " + + "unknown handshake type size, Handshake.msg_type = " + + (handshakeType & 0xFF)); + } + + // invalid, discard this record [section 4.1.2.7, RFC 6347] + return null; + } + int messageLength = ((plaintextFragment.get() & 0xFF) << 16) | ((plaintextFragment.get() & 0xFF) << 8) | diff -r f0c73a5683e7 -r 7cc5a5b4eee9 src/java.base/share/classes/sun/security/ssl/SSLEngineInputRecord.java --- a/src/java.base/share/classes/sun/security/ssl/SSLEngineInputRecord.java Mon Aug 19 19:58:50 2019 +0200 +++ b/src/java.base/share/classes/sun/security/ssl/SSLEngineInputRecord.java Mon Aug 19 12:56:48 2019 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -287,8 +287,15 @@ } handshakeFrag.mark(); - // skip the first byte: handshake type + + // Fail fast for unknown handshake message. byte handshakeType = handshakeFrag.get(); + if (!SSLHandshake.isKnown(handshakeType)) { + throw new SSLProtocolException( + "Unknown handshake type size, Handshake.msg_type = " + + (handshakeType & 0xFF)); + } + int handshakeBodyLen = Record.getInt24(handshakeFrag); handshakeFrag.reset(); int handshakeMessageLen = diff -r f0c73a5683e7 -r 7cc5a5b4eee9 src/java.base/share/classes/sun/security/ssl/SSLHandshake.java --- a/src/java.base/share/classes/sun/security/ssl/SSLHandshake.java Mon Aug 19 19:58:50 2019 +0200 +++ b/src/java.base/share/classes/sun/security/ssl/SSLHandshake.java Mon Aug 19 12:56:48 2019 -0700 @@ -497,6 +497,16 @@ return "UNKNOWN-HANDSHAKE-MESSAGE(" + id + ")"; } + static boolean isKnown(byte id) { + for (SSLHandshake hs : SSLHandshake.values()) { + if (hs.id == id && id != NOT_APPLICABLE.id) { + return true; + } + } + + return false; + } + static final void kickstart(HandshakeContext context) throws IOException { if (context instanceof ClientHandshakeContext) { // For initial handshaking, including session resumption, diff -r f0c73a5683e7 -r 7cc5a5b4eee9 src/java.base/share/classes/sun/security/ssl/SSLSocketInputRecord.java --- a/src/java.base/share/classes/sun/security/ssl/SSLSocketInputRecord.java Mon Aug 19 19:58:50 2019 +0200 +++ b/src/java.base/share/classes/sun/security/ssl/SSLSocketInputRecord.java Mon Aug 19 12:56:48 2019 -0700 @@ -302,8 +302,15 @@ } handshakeFrag.mark(); - // skip the first byte: handshake type + + // Fail fast for unknown handshake message. byte handshakeType = handshakeFrag.get(); + if (!SSLHandshake.isKnown(handshakeType)) { + throw new SSLProtocolException( + "Unknown handshake type size, Handshake.msg_type = " + + (handshakeType & 0xFF)); + } + int handshakeBodyLen = Record.getInt24(handshakeFrag); handshakeFrag.reset(); int handshakeMessageLen =