brooks@csl.sri.com
Date: Fri, 24 Feb 2017 16:58:11 +0000
Cloudflare was leaking data between TLS sessions on the encrypted proxy
systems. Google found this and reported it last week. (Do look at the
PNGs of leaked data, it's remarkable!)
https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
Cloudflare found the bug, fixed it, and posted a write-up:
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
The bogus code was something like:
/* generated code */
if ( ++p == pe )
goto _test_eof;
but the ++ caused p to skip passed pe due to alignment. Assuming they were using a malloc() with strict bounds, leakage would be zero. (Another part of the writeup asserts that the bug triggered reliably only on 4k or smaller buffers.)
PS. One amusing note from the Cloudflare writeup: one of several conditions
that trigger the bug included "Server-Side Excludes execute only if the
client IP has a poor reputation (i.e., it does not work for most visitors)."
Which means that data leaks happened more commonly to clients that~< were
believed to be malicious!
[This has been PGN-ed for RISKS. Thanks to Brooks.]