unbuffered: crash (attempt to subtract with overflow) with TLS 1.3 #2040
Description
Describe the bug
When using the unbuffered client API to connect to certain servers (https://canihazip.com, a HTTPS server which simply returns the client's IP address), rustls crashes in <rustls::msgs::deframer::DeframerSliceBuffer as rustls::msgs::deframer::FilledDeframerBuffer>::filled due to a numeric overflow in subtraction.
[examples/src/bin/unbuffered-client.rs:64:15] state.unwrap() = EncodeTlsData
[examples/src/bin/unbuffered-client.rs:64:15] state.unwrap() = TransmitTlsData
sent 240B of data
[examples/src/bin/unbuffered-client.rs:64:15] state.unwrap() = BlockedHandshake
received 3118B of data
[examples/src/bin/unbuffered-client.rs:64:15] state.unwrap() = EncodeTlsData
discarded 127B from `incoming_tls`
thread 'main' panicked at rustls/src/msgs/deframer.rs:600:19:
attempt to subtract with overflow
stack backtrace:
0: rust_begin_unwind
at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library/std/src/panicking.rs:645:5
1: core::panicking::panic_fmt
at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library/core/src/panicking.rs:72:14
2: core::panicking::panic
at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library/core/src/panicking.rs:144:5
3: <rustls::msgs::deframer::DeframerSliceBuffer as rustls::msgs::deframer::FilledDeframerBuffer>::filled
at /home/jan-spacek/prog/keyrock/rustls/rustls/src/msgs/deframer.rs:600:19
4: rustls::msgs::deframer::FilledDeframerBuffer::len
at /home/jan-spacek/prog/keyrock/rustls/rustls/src/msgs/deframer.rs:651:9
5: rustls::msgs::deframer::DeframerSliceBuffer::is_empty
at /home/jan-spacek/prog/keyrock/rustls/rustls/src/msgs/deframer.rs:561:9
6: rustls::msgs::deframer::MessageDeframer::pop
at /home/jan-spacek/prog/keyrock/rustls/rustls/src/msgs/deframer.rs:49:19
7: rustls::conn::ConnectionCore<Data>::deframe
at /home/jan-spacek/prog/keyrock/rustls/rustls/src/conn.rs:867:15
8: rustls::conn::unbuffered::<impl rustls::conn::UnbufferedConnectionCommon<Data>>::process_tls_records_common
at /home/jan-spacek/prog/keyrock/rustls/rustls/src/conn/unbuffered.rs:79:41
9: rustls::conn::unbuffered::<impl rustls::conn::UnbufferedConnectionCommon<rustls::client::client_conn::ClientConnectionData>>::process_tls_records
at /home/jan-spacek/prog/keyrock/rustls/rustls/src/conn/unbuffered.rs:22:9
10: unbuffered_client::converse
at ./src/bin/unbuffered-client.rs:62:13
11: unbuffered_client::main
at ./src/bin/unbuffered-client.rs:32:5
12: core::ops::function::FnOnce::call_once
at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library/core/src/ops/function.rs:250:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
To Reproduce
In examples/src/bin/unbuffered-client.rs, replace const SERVER_NAME: &str = "example.com"; with "icanhazip.com".
Applicable Version(s)
I reproduced this from main (commit 7b521d), but I observed the same issue with versions 0.23.10 and 0.23.11 from crates.io.
Additional context
This bug only appears when TLS 1.3 is used. If I force rustls to use TLS 1.2 only, the problem disappears.
Metadata
Metadata
Assignees
Labels
No labels