GnuTLS sends record_overflow when client message is within the length limit
Description of problem:
GnuTLS sends record_overflow alert for a malformed client message. However, the client message \xe8\x03\x00\x00\x02\x02\x50
has a valid length. From my understanding:
-
\xe8 is type
-
\x03\x00 is version
-
\x00\x02 is length (2 bytes)
-
\x02\x50 has a length of 2 bytes which corresponds with the length field
Since the type is invalid, I think an unexpected_message alert is more appropriate in this case. As per RFC 5246
record_overflow
A TLSCiphertext record was received that had a length more than 2^14+2048 bytes, or a record decrypted to a TLSCompressed record with more than 2^14+1024 bytes.
unexpected_message
An inappropriate message was received. This alert is always fatal and should never be observed in communication between proper implementations.
Version of gnutls used:
GnuTLS 3.7.0 commit 7e44152f
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Ubuntu 18.04
How reproducible:
Steps to Reproduce:
gnutls-serv --priority NORMAL:-VERS-ALL:+VERS-TLS1.2:-COMP-ALL:+COMP-NONE --x509keyfile /path/to/key.pem --x509certfile /path/to/cert.pem -p 44331 --noticket -a --http
echo -n -e "\xe8\x03\x00\x00\x02\x02\x50" | nc 127.0.0.1 44331
Actual results:
Gnutls sends record_overflow alert. The capture file is attached.
Expected results:
Send unexpected_message alert.