TechQA.

padding about OpenSSL heartbleed

342 views Asked by At

I have something not understand about the padding part of the heartbeat in openSSL. In the code of openssl 1.0.1g, it shows as the followings:

n2s(p, payload);
if (1 + 2 + payload + 16 > s->s3->rrec.length)
    return 0; /* silently discard per RFC 6520 sec. 4 */
pl = p;

It shows that the length of padding is 16, however in the RFC6520, it says that the padding length is at least 16 bytes. Then if the client send a heartbeat with the padding (32 bytes or bigger), does the code of OpenSSL still has vulnerability?

ssl openssl heartbleed-bug
Original Q&A
1

There are 1 answers

2
Warren Dew On

1 + 2 + payload + 16 is the minimum message length; it might be less than a corresponding message length, but it cannot be greater. Thus, the test says that if that calculated value is greater than the actual message length, which is inconsistent with a well constructed heartbeat, the message should be discarded, preventing the bug.

Related Questions in SSL

Related Questions in OPENSSL

Related Questions in HEARTBLEED-BUG

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions