[jbangert]

Verifying length fields is absolutely a parser issue. Heartbleed and similar bugs arise from the fact that the length is encoded (at least) twice -- once, in the explicit length field, once implicitly in the length of the transmitted data (i.e. the TCP packet length).

If multiple copies of the same redundant information are not identical, then that is definitely a case of invalid input.

I try to address this class of parser vulnerability with my Nail parser generator (OSDI '14 , github.com/jbangert/nail ), which is inspired by Meredith's hammer.

[heinrich5991]

To the application, there's no such thing as TCP packet length. Is there a TLS packet length?

[richm44]

There's a length field in a TLS record and also one in the heartbeat message itself. Heartbleed happened when the length field of the heartbeat message was longer than the length of the tls record.