remember record length

DeagleGross · DeagleGross · commit a71051738b65 · 2025-05-30T14:49:47.000+02:00
diff --git a/src/Servers/Kestrel/Core/src/Middleware/TlsListener.cs b/src/Servers/Kestrel/Core/src/Middleware/TlsListener.cs
@@ -23,6 +23,7 @@ internal async Task OnTlsClientHelloAsync(ConnectionContext connection, Cancella
     {
         var input = connection.Transport.Input;
         ClientHelloParseState parseState = ClientHelloParseState.NotEnoughData;
+        short recordLength = -1; // remembers the length of TLS record to not re-parse header on every iteration
 
         while (true)
         {
@@ -38,7 +39,7 @@ internal async Task OnTlsClientHelloAsync(ConnectionContext connection, Cancella
                     break;
                 }
 
-                parseState = TryParseClientHello(buffer, out var clientHelloBytes);
+                parseState = TryParseClientHello(buffer, ref recordLength, out var clientHelloBytes);
                 if (parseState == ClientHelloParseState.NotEnoughData)
                 {
                     // if no data will be added, and we still lack enough bytes
@@ -81,10 +82,18 @@ internal async Task OnTlsClientHelloAsync(ConnectionContext connection, Cancella
     /// TLS 1.2: https://datatracker.ietf.org/doc/html/rfc5246#section-6.2
     /// TLS 1.3: https://datatracker.ietf.org/doc/html/rfc8446#section-5.1
     /// </summary>
-    private static ClientHelloParseState TryParseClientHello(ReadOnlySequence<byte> buffer, out ReadOnlySequence<byte> clientHelloBytes)
+    private static ClientHelloParseState TryParseClientHello(ReadOnlySequence<byte> buffer, ref short recordLength, out ReadOnlySequence<byte> clientHelloBytes)
     {
         clientHelloBytes = default;
 
+        // in case bad actor will be sending a TLS client hello one byte at a time
+        // and we know the expected length of TLS client hello,
+        // we can check and fail fastly here instead of re-parsing the TLS client hello "header" on each iteration
+        if (recordLength != -1 && buffer.Length < 5 + recordLength)
+        {
+            return ClientHelloParseState.NotEnoughData;
+        }
+
         if (buffer.Length < 6)
         {
             return ClientHelloParseState.NotEnoughData;
@@ -105,7 +114,7 @@ private static ClientHelloParseState TryParseClientHello(ReadOnlySequence<byte>
         }
 
         // Record length
-        if (!reader.TryReadBigEndian(out short recordLength))
+        if (!reader.TryReadBigEndian(out recordLength))
         {
             return ClientHelloParseState.NotTlsClientHello;
         }

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,7 @@ internal async Task OnTlsClientHelloAsync(ConnectionContext connection, Cancella`
`23`	`23`	`{`
`24`	`24`	`var input = connection.Transport.Input;`
`25`	`25`	`ClientHelloParseState parseState = ClientHelloParseState.NotEnoughData;`
	`26`	`+ short recordLength = -1; // remembers the length of TLS record to not re-parse header on every iteration`
`26`	`27`
`27`	`28`	`while (true)`
`28`	`29`	`{`
`@@ -38,7 +39,7 @@ internal async Task OnTlsClientHelloAsync(ConnectionContext connection, Cancella`
`38`	`39`	`break;`
`39`	`40`	`}`
`40`	`41`
`41`		`- parseState = TryParseClientHello(buffer, out var clientHelloBytes);`
	`42`	`+ parseState = TryParseClientHello(buffer, ref recordLength, out var clientHelloBytes);`
`42`	`43`	`if (parseState == ClientHelloParseState.NotEnoughData)`
`43`	`44`	`{`
`44`	`45`	`// if no data will be added, and we still lack enough bytes`
`@@ -81,10 +82,18 @@ internal async Task OnTlsClientHelloAsync(ConnectionContext connection, Cancella`
`81`	`82`	`/// TLS 1.2: https://datatracker.ietf.org/doc/html/rfc5246#section-6.2`
`82`	`83`	`/// TLS 1.3: https://datatracker.ietf.org/doc/html/rfc8446#section-5.1`
`83`	`84`	`/// </summary>`
`84`		`- private static ClientHelloParseState TryParseClientHello(ReadOnlySequence<byte> buffer, out ReadOnlySequence<byte> clientHelloBytes)`
	`85`	`+ private static ClientHelloParseState TryParseClientHello(ReadOnlySequence<byte> buffer, ref short recordLength, out ReadOnlySequence<byte> clientHelloBytes)`
`85`	`86`	`{`
`86`	`87`	`clientHelloBytes = default;`
`87`	`88`
	`89`	`+ // in case bad actor will be sending a TLS client hello one byte at a time`
	`90`	`+ // and we know the expected length of TLS client hello,`
	`91`	`+ // we can check and fail fastly here instead of re-parsing the TLS client hello "header" on each iteration`
	`92`	`+ if (recordLength != -1 && buffer.Length < 5 + recordLength)`
	`93`	`+ {`
	`94`	`+ return ClientHelloParseState.NotEnoughData;`
	`95`	`+ }`
	`96`	`+`
`88`	`97`	`if (buffer.Length < 6)`
`89`	`98`	`{`
`90`	`99`	`return ClientHelloParseState.NotEnoughData;`
`@@ -105,7 +114,7 @@ private static ClientHelloParseState TryParseClientHello(ReadOnlySequence<byte>`
`105`	`114`	`}`
`106`	`115`
`107`	`116`	`// Record length`
`108`		`- if (!reader.TryReadBigEndian(out short recordLength))`
	`117`	`+ if (!reader.TryReadBigEndian(out recordLength))`
`109`	`118`	`{`
`110`	`119`	`return ClientHelloParseState.NotTlsClientHello;`
`111`	`120`	`}`