CVE-2024-5535: `SSL_select_next_proto` buffer overread celebrating a decade of publishing your heap over the internet

Silently sends up to 255 bytes of the client’s heap to the server. The server must support NPN, and the heap data is encrypted in transit.

This is confirmed to affect Python <= 3.9 and Node <= 9. It may equally affect any program that calls SSL_select_next_proto with a client buffer that is not a valid list of protocols (this includes an empty buffer).

However, they were much more common in the lifetime of this bug. You should review your historic usage of SSL_select_next_proto and if you could have ever triggered this bug, I would suggest rolling any secrets available to affected programs.

The various audits, code reviews, static analysis, dynamic analysis, fuzzing, and popularity were not sufficient to remedy this bug earlier.

Though valgrind immediately points it out once triggered, and a really basic static pointer bounds analysis should also find it (though likely with a huge false-positive rate in other code.)

SSL_select_next_proto called with client_len == 0 unconditionally reads client[0] and returns the pointer client + 1. Thereafter, *out points outside a valid address, and *outlen contains an undefined value.

Leave a Comment