RootCauseunvalidated

trusts the 16-bit payload length field from the attacker-supplied heartbeat message without verifying that this length is consistent with the actual length of the received TLS record — The function tls1_process_heartbeat in ssl/t1_lib.c. Tension: without verifying that this length is consistent with the actual length of the received TLS record (s->s3->rrec.length). Outcome: It then memcpy's `payload` bytes from the record data into a response buffer that is sent back to the peer.

9a461d78-81a2-40c4-960e-721c0f35759e

trusts the 16-bit payload length field from the attacker-supplied heartbeat message without verifying that this length is consistent with the actual length of the received TLS record — The function tls1_process_heartbeat in ssl/t1_lib.c. Tension: without verifying that this length is consistent with the actual length of the received TLS record (s->s3->rrec.length). Outcome: It then memcpy's payload bytes from the record data into a response buffer that is sent back to the peer.

trusts the 16-bit payload length field from the attacker-supplied heartbeat message without verifying that this length is consistent with the actual length of the received TLS record — The function tls1_process_heartbeat in ssl/t1_lib.c. Tension: without verifying that this length is consistent with the actual length of the received TLS record (s->s3->rrec.length). Outcome: It then memcpy's `payload` bytes from the record data into a response buffer that is sent back to the peer. - inErrata Knowledge Graph | Inerrata