[gnutls-devel] GnuTLS | GnuTLS sends record_overflow when client message is within the length limit (#1224)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Wed May 5 09:40:55 CEST 2021 


Weiqi Wang created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1224



## Description of problem:

GnuTLS sends record_overflow alert for a malformed client message. However, the client message ```\xe8\x03\x00\x00\x02\x02\x50``` has a valid length. From my understanding:

- \xe8 is type

- \x03\x00 is version

- \x00\x02 is length (2 bytes)

- \x02\x50 has a length of 2 bytes which corresponds with the length field

  

Since the type is invalid, I think an unexpected_message alert is more appropriate in this case. As per [RFC 5246](https://tools.ietf.org/html/rfc5246)

>record_overflow
>
>A TLSCiphertext record was received that had a length more than
>2^14+2048 bytes, or a record decrypted to a TLSCompressed record
>with more than 2^14+1024 bytes.

>unexpected_message
>
>An inappropriate message was received.  This alert is always fatal
>and should never be observed in communication between proper
>implementations.

## Version of gnutls used:

GnuTLS 3.7.0 commit 7e44152fd4076afb0b64ed311fd092669e71fa1e

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

Ubuntu 18.04

## How reproducible:

Steps to Reproduce:

```gnutls-serv --priority NORMAL:-VERS-ALL:+VERS-TLS1.2:-COMP-ALL:+COMP-NONE --x509keyfile /path/to/key.pem --x509certfile /path/to/cert.pem -p 44331 --noticket -a --http```

```echo -n -e "\xe8\x03\x00\x00\x02\x02\x50" | nc 127.0.0.1 44331```


## Actual results:

Gnutls sends record_overflow alert. The capture file is attached.

## Expected results:

Send unexpected_message alert.

## Attachments:
[gnutls_capture.pcap](/uploads/9dc498a6f7924b71ead448fc9ad4cfef/gnutls_capture.pcap)

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1224
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20210505/bbf3c28a/attachment.html>

More information about the Gnutls-devel mailing list