Replace SSL assertion with explicit record length check#14810
Merged
Replace SSL assertion with explicit record length check#14810
Conversation
Motivation: This assertion sometimes fails in fuzzing when using the JDK SSL implementation. The reason is that the JDK equivalent of getEncryptedPacketLength (SSLEngineInputRecord#bytesInCompletePacket) remembers when a previous packet was not SSLv2 and will not check for SSLv2 again in that case. getEncryptedPacketLength cannot replicate this behavior and checks for SSLv2 every time. This can lead to a mismatch in the netty and JDK length result, which triggers the assert replaced in this PR. Modification: Replace the assert with a normal check and exception. This sort of input should always be a sign of bad data. Result: Normal decode failure instead of assertion failure. From my testing, this only affects the JDK implementation so there's no potential for a crash like CVE-2025-24970. It looks like when assertions are off, the data is just dropped atm.
normanmaurer
requested changes
Feb 12, 2025
Co-authored-by: Norman Maurer <norman_maurer@apple.com>
normanmaurer
approved these changes
Feb 13, 2025
chrisvest
approved these changes
Feb 13, 2025
chrisvest
pushed a commit
to chrisvest/netty
that referenced
this pull request
Feb 14, 2025
Motivation: This assertion sometimes fails in fuzzing when using the JDK SSL implementation. The reason is that the JDK equivalent of getEncryptedPacketLength (SSLEngineInputRecord#bytesInCompletePacket) remembers when a previous packet was not SSLv2 and will not check for SSLv2 again in that case. getEncryptedPacketLength cannot replicate this behavior and checks for SSLv2 every time. This can lead to a mismatch in the netty and JDK length result, which triggers the assert replaced in this PR. Modification: Replace the assert with a normal check and exception. This sort of input should always be a sign of bad data. Result: Normal decode failure instead of assertion failure. From my testing, this only affects the JDK implementation so there's no potential for a crash like CVE-2025-24970. It looks like when assertions are off, the data is just dropped atm. --------- Co-authored-by: Norman Maurer <norman_maurer@apple.com>
chrisvest
pushed a commit
to chrisvest/netty
that referenced
this pull request
Feb 14, 2025
Motivation: This assertion sometimes fails in fuzzing when using the JDK SSL implementation. The reason is that the JDK equivalent of getEncryptedPacketLength (SSLEngineInputRecord#bytesInCompletePacket) remembers when a previous packet was not SSLv2 and will not check for SSLv2 again in that case. getEncryptedPacketLength cannot replicate this behavior and checks for SSLv2 every time. This can lead to a mismatch in the netty and JDK length result, which triggers the assert replaced in this PR. Modification: Replace the assert with a normal check and exception. This sort of input should always be a sign of bad data. Result: Normal decode failure instead of assertion failure. From my testing, this only affects the JDK implementation so there's no potential for a crash like CVE-2025-24970. It looks like when assertions are off, the data is just dropped atm. --------- Co-authored-by: Norman Maurer <norman_maurer@apple.com>
chrisvest
added a commit
that referenced
this pull request
Feb 14, 2025
) Motivation: This assertion sometimes fails in fuzzing when using the JDK SSL implementation. The reason is that the JDK equivalent of getEncryptedPacketLength (SSLEngineInputRecord#bytesInCompletePacket) remembers when a previous packet was not SSLv2 and will not check for SSLv2 again in that case. getEncryptedPacketLength cannot replicate this behavior and checks for SSLv2 every time. This can lead to a mismatch in the netty and JDK length result, which triggers the assert replaced in this PR. Modification: Replace the assert with a normal check and exception. This sort of input should always be a sign of bad data. Result: Normal decode failure instead of assertion failure. From my testing, this only affects the JDK implementation so there's no potential for a crash like CVE-2025-24970. It looks like when assertions are off, the data is just dropped atm. Co-authored-by: Jonas Konrad <jonas.konrad@oracle.com> Co-authored-by: Norman Maurer <norman_maurer@apple.com>
chrisvest
added a commit
that referenced
this pull request
Feb 17, 2025
) Motivation: This assertion sometimes fails in fuzzing when using the JDK SSL implementation. The reason is that the JDK equivalent of getEncryptedPacketLength (SSLEngineInputRecord#bytesInCompletePacket) remembers when a previous packet was not SSLv2 and will not check for SSLv2 again in that case. getEncryptedPacketLength cannot replicate this behavior and checks for SSLv2 every time. This can lead to a mismatch in the netty and JDK length result, which triggers the assert replaced in this PR. Modification: Replace the assert with a normal check and exception. This sort of input should always be a sign of bad data. Result: Normal decode failure instead of assertion failure. From my testing, this only affects the JDK implementation so there's no potential for a crash like CVE-2025-24970. It looks like when assertions are off, the data is just dropped atm. Co-authored-by: Jonas Konrad <jonas.konrad@oracle.com> Co-authored-by: Norman Maurer <norman_maurer@apple.com>
dongjoon-hyun
added a commit
to apache/spark
that referenced
this pull request
Mar 4, 2025
### What changes were proposed in this pull request? This PR aims to Upgrade Netty to 4.1.119.Final. ### Why are the changes needed? - https://github.com/netty/netty/milestone/309?closed=1 - netty/netty#14855 - netty/netty#14830 - netty/netty#14816 - netty/netty#14810 ### Does this PR introduce _any_ user-facing change? No behavior change. ### How was this patch tested? Pass the CIs. ### Was this patch authored or co-authored using generative AI tooling? No. Closes #50150 from dongjoon-hyun/SPARK-51387. Authored-by: Dongjoon Hyun <dongjoon@apache.org> Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
dongjoon-hyun
added a commit
to apache/spark
that referenced
this pull request
Mar 4, 2025
### What changes were proposed in this pull request? This PR aims to Upgrade Netty to 4.1.119.Final. ### Why are the changes needed? - https://github.com/netty/netty/milestone/309?closed=1 - netty/netty#14855 - netty/netty#14830 - netty/netty#14816 - netty/netty#14810 ### Does this PR introduce _any_ user-facing change? No behavior change. ### How was this patch tested? Pass the CIs. ### Was this patch authored or co-authored using generative AI tooling? No. Closes #50150 from dongjoon-hyun/SPARK-51387. Authored-by: Dongjoon Hyun <dongjoon@apache.org> Signed-off-by: Dongjoon Hyun <dongjoon@apache.org> (cherry picked from commit 3d949af) Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
dongjoon-hyun
added a commit
to dongjoon-hyun/spark
that referenced
this pull request
Mar 5, 2025
### What changes were proposed in this pull request? This PR aims to Upgrade Netty to 4.1.119.Final. ### Why are the changes needed? - https://github.com/netty/netty/milestone/309?closed=1 - netty/netty#14855 - netty/netty#14830 - netty/netty#14816 - netty/netty#14810 ### Does this PR introduce _any_ user-facing change? No behavior change. ### How was this patch tested? Pass the CIs. ### Was this patch authored or co-authored using generative AI tooling? No. Closes apache#50150 from dongjoon-hyun/SPARK-51387. Authored-by: Dongjoon Hyun <dongjoon@apache.org> Signed-off-by: Dongjoon Hyun <dongjoon@apache.org> (cherry picked from commit 3d949af) Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
zifeif2
pushed a commit
to zifeif2/spark
that referenced
this pull request
Nov 14, 2025
### What changes were proposed in this pull request? This PR aims to Upgrade Netty to 4.1.119.Final. ### Why are the changes needed? - https://github.com/netty/netty/milestone/309?closed=1 - netty/netty#14855 - netty/netty#14830 - netty/netty#14816 - netty/netty#14810 ### Does this PR introduce _any_ user-facing change? No behavior change. ### How was this patch tested? Pass the CIs. ### Was this patch authored or co-authored using generative AI tooling? No. Closes apache#50150 from dongjoon-hyun/SPARK-51387. Authored-by: Dongjoon Hyun <dongjoon@apache.org> Signed-off-by: Dongjoon Hyun <dongjoon@apache.org> (cherry picked from commit e84c345) Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation:
This assertion sometimes fails in fuzzing when using the JDK SSL implementation. The reason is that the JDK equivalent of getEncryptedPacketLength (SSLEngineInputRecord#bytesInCompletePacket) remembers when a previous packet was not SSLv2 and will not check for SSLv2 again in that case. getEncryptedPacketLength cannot replicate this behavior and checks for SSLv2 every time. This can lead to a mismatch in the netty and JDK length result, which triggers the assert replaced in this PR.
Modification:
Replace the assert with a normal check and exception. This sort of input should always be a sign of bad data.
Result:
Normal decode failure instead of assertion failure.
From my testing, this only affects the JDK implementation so there's no potential for a crash like CVE-2025-24970. It looks like when assertions are off, the data is just dropped atm.