SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 106

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 107

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

CERT vulnerability 720951 describes a vulnerability in OpenSSL versions 1.0.1 through 1.0.1f, popularly known as "Heartbleed." . This vulnerability allows a malicious packet fed to a server using OpenSSL to trick that server into returning up to 64 kilobytes of its internal memory. This memory can contain sensitive information, including cryptographic keys, usernames, and passwords. The Following is the vulnerable code appears below:

 

...

:

Code Block
bgColor#ffcccc
langc
int dtls1_process_heartbeat(SSL *s)

...

 {         
  unsigned char *p = &s->s3->rrec.data[0], *pl;

...

  unsigned short hbtype;
  unsigned int payload;
  unsigned int padding = 16; /* Use minimum padding */
 
  /* Read type and payload length first */
  hbtype = *p++;
  n2s(p, payload);
  pl = p;
 
  /* ... More code ... */
 

...


  unsigned short hbtype;
  unsigned int payload;
  unsigned int padding = 16; /* Use minimum padding */
 
  /* Read type and payload length first */
  hbtype = *p++;
  n2s(p, payload);
  pl = p;
 
  /* ... More code ... */
 
  if (hbtype == TLS1_HB_REQUEST)

...

 {
    unsigned char *buffer, *bp;

...

    int r;
 
    /* Allocate memory for the response, size is 1 byte
     * message type, plus 2 bytes payload length, plus
     * payload, plus padding
     */

...


    int r;
 
    /* 
     * Allocate memory for the response; size is 1 byte
     * message type, plus 2 bytes payload length, plus
     * payload, plus padding.
     */
    buffer = OPENSSL_malloc(1 + 2 + payload + padding);

...

    bp = buffer;
 
    /* Enter response type, length and copy payload */

...


    bp = buffer;
 
    /* Enter response type, length, and copy payload */
    *bp++ = TLS1_HB_RESPONSE;

...


    s2n(payload, bp);

...


    memcpy(bp, pl, payload);

...

 

...


 
    /* ... More code ... */

...

  }

...


  }
  /* ... More code ... */

...


}

 

This code processes a

...

"heartbeat

...

" packet from a client. As specified in RFC 6520, when the program receives a heartbeat packet, it must echo the packet's data back to the client. In addition to the data, the packet contains a length field that conventionally indicates the number of bytes in the packet data, but there is nothing to prevent a malicious packet from lying about its data length.

The p pointer, along with payload and p1 contain , contain data from a packet. The code allocates a buffer sufficient to contain payload bytes, with some overhead, and then copies payload bytes starting at p1 into this buffer , and sends it to the client. Notably absent are any checks that payload actually indicates the correct size of the memory. Because an attacker can specify an arbitrary value for payload, he or she can cause this routine to read and return memory beyond the block allocated to p, which violates INT04-C. Enforce limits on integer values originating from tainted sources. In this case, the call to memcpy() would create a pointer that does not lie within the bounds of the character array.

...

Compliant Solution (Heartbleed)

OpenSSL version 1.0.1g contains the following patch, which guarantees that payload is within a valid range. The range is limited by the size of the input record.

 

Code Block
bgColor#ccccff
langc
int
 
 dtls1_process_heartbeat(SSL *s)
{           unsigned char *p = 
 {         
  unsigned char *p = &s->s3->rrec.data[0], *pl;
  unsigned short hbtype;
  unsigned int payload;
  unsigned int padding = 16; /* Use minimum padding */
 
  /* ... More code ... */
 
  /* Read type and payload length first */
  if (1 + 2 + 16 > 

  unsigned short hbtype;
  unsigned int payload;
  unsigned int padding = 16; /* Use minimum padding */
 
  /* ... More code ... */
 
  /* Read type and payload length first */
  if (1 + 2 + 16 > s->s3->rrec.length)
    return 

    return 0;
 
 /*
silently 
 Silently discard */
  

  hbtype = *p++;
  

  n2s(p, payload);
  if 

  if (1 + 2 + payload + 16 > s->s3->rrec.length)
    return 

    return 0;
 
 /*
silently 
 Silently discard per RFC 6520 */
  

  pl = p;
 
  

 
  /* ... More code ... */
 
  if 

 
  if (hbtype == TLS1_HB_REQUEST)
{    unsigned char 
 {
    unsigned char *buffer, *bp;
    int r;
 
    /* Allocate memory for the response, size is 1 byte
     * message type, plus 2 bytes payload length, plus
     * payload, plus padding
     */
    buffer = 

    int r;
 
    /* 
     * Allocate memory for the response; size is 1 byte
     * message type, plus 2 bytes payload length, plus
     * payload, plus padding.
     */
    buffer = OPENSSL_malloc(1 + 2 + payload + padding);
    bp = buffer;
    /* Enter response type, length and copy payload */
    

    bp = buffer;
    /* Enter response type, length, and copy payload */
    *bp++ = TLS1_HB_RESPONSE;
    

    s2n(payload, bp);
    

    memcpy(bp, pl, payload);
    

    /* ... More code ... */
  }
  

  }
  /* ... More code ... */

}

 

Risk Assessment

Depending on the library function called, an attacker may be able to use a heap or stack overflow vulnerability to run arbitrary code.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

ARR38-C

High

Likely

Medium

P18

L1

Automated Detection

Tool

Version

Checker

Description

Compass/ROSE

 

 

 

Coverity6.5BUFFER_SIZEFully Implemented

Fortify SCA

5.0

 

Can detect violations of this rule with CERT C Rule Pack

Klocwork

Include Page
Klocwork_V
Klocwork_V

ABR

 

PRQA QA-C
Include Page
PRQA_V
PRQA_V
 2931Fully implemented

Splint

Include Page
Splint_V
Splint_V

 

 

...

[Cassidy 2014]Existential Type Crisis : Diagnosis of the OpenSSL Heartbleed Bug
[IETF: RFC 6520] 
[ISO/IEC TS 17961:2013] 
[VU#720951] 

...