On Wed, Apr 9, 2014 at 7:49 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
> Should this chunk of code:
>
> if (tree) {
> if (type && (payload_length <= record_length - 16 - 3)) {
> proto_item_set_text(tree, "%s Record Layer: Heartbeat "
> "%s",
> val_to_str_const(*conv_version, ssl_version_short_names, "SSL"),
> type);
> proto_tree_add_item(tls_heartbeat_tree, hf_ssl_heartbeat_message_type,
> tvb, offset, 1, ENC_BIG_ENDIAN);
> offset += 1;
> proto_tree_add_uint(tls_heartbeat_tree, hf_ssl_heartbeat_message_payload_length,
> tvb, offset, 2, payload_length);
> offset += 2;
> proto_tree_add_bytes_format(tls_heartbeat_tree, hf_ssl_heartbeat_message_payload,
> tvb, offset, payload_length,
> NULL, "Payload (%u byte%s)",
> payload_length,
> plurality(payload_length, "", "s"));
> offset += payload_length;
> proto_tree_add_bytes_format(tls_heartbeat_tree, hf_ssl_heartbeat_message_padding,
> tvb, offset, padding_length,
> NULL, "Padding and HMAC (%u byte%s)",
> padding_length,
> plurality(padding_length, "", "s"));
> } else {
> proto_item_set_text(tree,
> "%s Record Layer: Encrypted Heartbeat",
> val_to_str_const(*conv_version, ssl_version_short_names, "SSL"));
> proto_item_set_text(tls_heartbeat_tree,
> "Encrypted Heartbeat Message");
> }
> }
>
> perhaps report an expert info if the payload length is too large? Why is that treated as a "this is encrypted" indication rather than a "somebody's trying to extract whatever's in the server's memory after the request payload" indication?
I have no idea why it treats it as an "encrypted" indication; possibly
some old deprecated spec? Anyways, +1 for heartbleed expert info.