From a1d984a66b915c9bc75385220d2a5b77c01a9ebf Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Sun, 26 Oct 2014 16:22:21 +0000
Subject: [PATCH] Fix a couple off-by-one errors in parsing multiple TLS
 records

Reported by Kent Fritz: http://seclists.org/nmap-dev/2014/q4/104
---
 scripts/ssl-enum-ciphers.nse | 9 ++++-----
 scripts/ssl-poodle.nse       | 9 ++++-----
 2 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/scripts/ssl-enum-ciphers.nse b/scripts/ssl-enum-ciphers.nse
index ac325335c..4ce880f8b 100644
--- a/scripts/ssl-enum-ciphers.nse
+++ b/scripts/ssl-enum-ciphers.nse
@@ -189,16 +189,16 @@ local function try_params(host, port, t)
 
   -- Read response.
   local buffer = ""
-  local i, record = nil
+  local i = 1
   while true do
-    local status
-    status, buffer, err = tls.record_buffer(sock, buffer, 1)
+    status, buffer, err = tls.record_buffer(sock, buffer, i)
     if not status then
       ctx_log(1, t.protocol, "Couldn't read a TLS record: %s", err)
       return nil
     end
     -- Parse response.
-    i, record = tls.record_read(buffer, 1)
+    local record
+    i, record = tls.record_read(buffer, i)
     if record and record.type == "alert" and record.body[1].level == "warning" then
       ctx_log(1, t.protocol, "Ignoring warning: %s", record.body[1].description)
       -- Try again.
@@ -206,7 +206,6 @@ local function try_params(host, port, t)
       sock:close()
       return record
     end
-    buffer = buffer:sub(i+1)
   end
 end
 
diff --git a/scripts/ssl-poodle.nse b/scripts/ssl-poodle.nse
index adbf0a16d..eac30742d 100644
--- a/scripts/ssl-poodle.nse
+++ b/scripts/ssl-poodle.nse
@@ -112,16 +112,16 @@ local function try_params(host, port, t)
 
   -- Read response.
   local buffer = ""
-  local i, record = nil
+  local i = 1
   while true do
-    local status
-    status, buffer, err = tls.record_buffer(sock, buffer, 1)
+    status, buffer, err = tls.record_buffer(sock, buffer, i)
     if not status then
       ctx_log(1, t.protocol, "Couldn't read a TLS record: %s", err)
       return nil
     end
     -- Parse response.
-    i, record = tls.record_read(buffer, 1)
+    local record
+    i, record = tls.record_read(buffer, i)
     if record and record.type == "alert" and record.body[1].level == "warning" then
       ctx_log(1, t.protocol, "Ignoring warning: %s", record.body[1].description)
       -- Try again.
@@ -129,7 +129,6 @@ local function try_params(host, port, t)
       sock:close()
       return record
     end
-    buffer = buffer:sub(i+1)
   end
 end