Sniffer Watch Cert Chain Part 2

1. Check the sizes picked up out of the message against the expected
size of the record when looking at the certificate messages.
2. Renamed the cert and certSz in the watch callback with it being a
certChain.

src/sniffer.c

@@ -253,7 +253,8 @@ static const char* const msgTable[] =
     /* 86 */
     "Watch callback not set",
     "Watch hash failed",
-    "Watch callback failed"
+    "Watch callback failed",
+    "Bad Certificate Message"
 };
 
 
@@ -2320,8 +2321,6 @@ static int ProcessCertificate(const byte* input, int* sslBytes,
     int ret;
     byte digest[SHA256_DIGEST_SIZE];
 
-    (void)sslBytes;
-
     /* If the receiver is the server, this is the client certificate message,
      * and it should be ignored at this point. */
     if (session->flags.side == WOLFSSL_SERVER_END)
@@ -2332,11 +2331,28 @@ static int ProcessCertificate(const byte* input, int* sslBytes,
         return -1;
     }
 
+    if (*sslBytes < CERT_HEADER_SZ) {
+        SetError(BAD_CERT_MSG_STR, error, session, FATAL_ERROR_STATE);
+        return -1;
+    }
     ato24(input, &certChainSz);
+    *sslBytes -= CERT_HEADER_SZ;
     input += CERT_HEADER_SZ;
+
+    if (*sslBytes < (int)certChainSz) {
+        SetError(BAD_CERT_MSG_STR, error, session, FATAL_ERROR_STATE);
+        return -1;
+    }
     certChain = input;
+
     ato24(input, &certSz);
     input += OPAQUE24_LEN;
+    if (*sslBytes < (int)certSz) {
+        SetError(BAD_CERT_MSG_STR, error, session, FATAL_ERROR_STATE);
+        return -1;
+    }
+
+    *sslBytes -= certChainSz;
 
     ret = wc_InitSha256(&sha);
     if (ret == 0)

sslSniffer/sslSnifferTest/snifftest.c

@@ -189,13 +189,13 @@ const byte eccHash[] = {
 
 static int myWatchCb(void* vSniffer,
         const unsigned char* certHash, unsigned int certHashSz,
-        const unsigned char* cert, unsigned int certSz,
+        const unsigned char* certChain, unsigned int certChainSz,
         void* ctx, char* error)
 {
     const char* certName = NULL;
 
-    (void)cert;
-    (void)certSz;
+    (void)certChain;
+    (void)certChainSz;
     (void)ctx;
 
     if (certHashSz == sizeof(rsaHash) &&

wolfssl/sniffer_error.h

@@ -124,6 +124,7 @@
 #define WATCH_CB_MISSING_STR 86
 #define WATCH_HASH_STR 87
 #define WATCH_FAIL_STR 88
+#define BAD_CERT_MSG_STR 89
 /* !!!! also add to msgTable in sniffer.c and .rc file !!!! */
 
 

wolfssl/sniffer_error.rc

@@ -106,5 +106,6 @@ STRINGTABLE
     86, "Watch callback not set"
     87, "Watch hash failed"
     88, "Watch callback failed"
+    89, "Bad Certificate Message"
 }