Posted by Guido Vranken on Oct 19
Triggering this requires that the client sets a very large ALPN list
(several thousand bytes). This would be very unusual in a real-world
application. For this reason OpenSSL does not treat this as a security
vulnerability and I am inclined to agree with this decision. However, if an
attacker can somehow influence the ALPN list of an OpenSSL-enabled
application (perhaps through another vulnerability), the attacker can write
arbitrary data past…