[UNDERTOW-2413] CVE-2024-5971 At SslConduit.wrapAndFlip, make sure al…

…l the consumed bytes of the multiple wrap calls are accounted for at the returning result. Signed-off-by: Flavia Rainone <[email protected]> (cherry picked from commit 74fdf63)
undertow-io · Jul 16, 2024 · 1418733 · 1418733
1 parent 297da38
commit 1418733
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java b/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java
@@ -1006,13 +1006,18 @@ private synchronized long doWrap(ByteBuffer[] userBuffers, int off, int len) thr
 
     private SSLEngineResult wrapAndFlip(ByteBuffer[] userBuffers, int off, int len) throws IOException {
         SSLEngineResult result = null;
+        int totalConsumedBytes = 0;
         while (result == null || (result.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_WRAP
                 && result.getStatus() != SSLEngineResult.Status.BUFFER_OVERFLOW && !engine.isInboundDone())) {
             if (userBuffers == null) {
                 result = engine.wrap(EMPTY_BUFFER, wrappedData.getBuffer());
             } else {
                 result = engine.wrap(userBuffers, off, len, wrappedData.getBuffer());
             }
+            totalConsumedBytes += result.bytesConsumed();
+        }
+        if (totalConsumedBytes != result.bytesConsumed()) {
+            result = new SSLEngineResult(result.getStatus(), result.getHandshakeStatus(), totalConsumedBytes, result.bytesProduced());
         }
         wrappedData.getBuffer().flip();
         return result;