0

I have something not understand about the padding part of the heartbeat in openSSL. In the code of openssl 1.0.1g, it shows as the followings:

n2s(p, payload);
if (1 + 2 + payload + 16 > s->s3->rrec.length)
    return 0; /* silently discard per RFC 6520 sec. 4 */
pl = p;

It shows that the length of padding is 16, however in the RFC6520, it says that the padding length is at least 16 bytes. Then if the client send a heartbeat with the padding (32 bytes or bigger), does the code of OpenSSL still has vulnerability?

iceKing
  • 147
  • 3
  • 13

1 Answers1

1

1 + 2 + payload + 16 is the minimum message length; it might be less than a corresponding message length, but it cannot be greater. Thus, the test says that if that calculated value is greater than the actual message length, which is inconsistent with a well constructed heartbeat, the message should be discarded, preventing the bug.

Warren Dew
  • 8,790
  • 3
  • 30
  • 44
  • Thanks, I see that. When we send the heartbeat, I can see the assert "OPENSSL_assert(len <= SSL3_RT_MAX_PLAIN_LENGTH);" and SSL3_RT_MAX_PLAIN_LENGTH is 16k, why it is 16k? In SSL record it use 3 bytes to record the length, why not bigger? – iceKing Apr 22 '14 at 04:41
  • @ceKing - the `HeartBeatRequest` message has a field `uint16 payload_length`. So the heartbeat message cannot be larger then 2^16 or `SSL3_RT_MAX_PLAIN_LENGTH`. There is a case that says a heartbeat message can't be greater than 2^14, but I'm not familiar with the case. – jww Apr 22 '14 at 08:17