Possible buffer overflow on gnutls_session_get_data

Alban Crequy alban.crequy at collabora.co.uk
Tue Nov 8 12:55:54 CET 2011

The gnutls_session_get_data function in the GnuTLS library before
3.0.6 or before 2.12.13 on the 2.12.x branch could overflow a
too-short buffer parameter allocated by the caller. The test to avoid
the buffer overflow was not working correctly.

Often the code using the GnuTLS library calls gnutls_session_get_data()
twice: the first time to get the buffer size and the second time with a
buffer allocated to the correct size. In this code pattern, there is no
buffer overflows.

But if gnutls_session_get_data() is called with a too-short buffer, the
function failed to detect it and it would overflow. I am not aware of
any code using gnutls_session_get_data() in this way. It could be that
there is no real software affected by this bug.

The size of the session data is determined by the server and it is
opaque to the client. RFC#5077 suggests it could be around 65kB but it
is not mandatory. A malicious server could send a larger SessionTicket
in the hope to overflow the client.

More information about the Gnutls-devel mailing list