[Pkg-gnutls-maint] Bug#478191: Bug#478191: Acknowledgement (/usr/bin/gnutls-cli: Fatal error: Internal error in memory allocation.)

Simon Josefsson simon at josefsson.org
Tue Apr 29 08:03:37 UTC 2008


Marc Haber <mh+debian-bugs at zugschlus.de> writes:

>>   Could you run gnutls-cli with -d 4711 or something and post the
>>   output too?
>
> attached.

Thanks.  It confirms my theory:

|<7>| RB: Have 5 bytes into buffer. Adding 16384 bytes.
...
|<2>| ASSERT: gnutls_buffers.c:1187

16kb is the current max handshake size limit, for DoS reasons.  It seems
that is too low.  This patch increases the default limit to 32kb.  The
error message is quite bad, and on the development trunk I'll be adding
a new error code for this situation.

diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index e37237d..71a9b89 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -47,7 +47,7 @@
 /* The size of a handshake message should not
  * be larger than this value.
  */
-#define MAX_HANDSHAKE_PACKET_SIZE 16*1024
+#define MAX_HANDSHAKE_PACKET_SIZE 32*1024
 
 #define TLS_RANDOM_SIZE 32
 #define TLS_MAX_SESSION_ID_SIZE 32


>> Does the server by any chance have a very large set of known CAs?
>
> Not that I am aware of.

It does, and it may be useful to investigate why this happens.  Could it
be a change in the ca-certificate package?  It is quite wasteful to send
a list of this many trusted CA certificates.  Perhaps it reflects the
ca-certificate trust setting: if you click in that you trust all CAs in
the entire world, exim/gnutls may use that.  But I'm not that familiar
with how trusted CA handling works in debian.

/Simon





More information about the Pkg-gnutls-maint mailing list