Reject extraneous data after SSL negatiation (#359)

* Reject extraneous data after SSL negatiation This prevents attacks like in CVE-2021-23214 and CVE-2021-23222. * Fix fmt issue Co-authored-by: reshke <[email protected]>
yandex · Nov 12, 2021 · 4e00bf7 · 4e00bf7
1 parent 763862a
commit 4e00bf7
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/sources/frontend.c b/sources/frontend.c
@@ -141,7 +141,7 @@ static int od_frontend_startup(od_client_t *client)
 	int rc = od_tls_frontend_accept(client, &instance->logger,
 					client->config_listen, client->tls);
 	if (rc == -1)
-		return -1;
+		goto error;
 
 	if (!client->startup.is_ssl_request) {
 		rc = od_compression_frontend_setup(

diff --git a/sources/tls.c b/sources/tls.c
@@ -86,6 +86,13 @@ int od_tls_frontend_accept(od_client_t *client, od_logger_t *logger,
 				 od_io_error(&client->io));
 			return -1;
 		}
+
+		if (od_readahead_unread(&client->io.readahead) > 0) {
+			od_error(logger, "tls", client, NULL,
+				 "extraneous data from client");
+			return -1; // prevent possible buffer, protecting against CVE-2021-23214-like attacks
+		}
+
 		rc = machine_set_tls(client->io.io, tls,
 				     config->client_login_timeout);
 		if (rc == -1) {
@@ -184,6 +191,12 @@ int od_tls_backend_connect(od_server_t *server, od_logger_t *logger,
 	case 'S':
 		/* supported */
 		od_debug(logger, "tls", NULL, server, "supported");
+		if (od_readahead_unread(&server->io.readahead) > 0) {
+			od_error(logger, "tls", NULL, server,
+				 "extraneous data from client");
+			return -1; // prevent possible buffer, protecting against CVE-2021-23214-like attacks
+		}
+
 		rc = machine_set_tls(server->io.io, server->tls, UINT32_MAX);
 		if (rc == -1) {
 			od_error(logger, "tls", NULL, server, "error: %s",