From 635d326812d9c188b61f64054f17a92f3fc941a8 Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Mon, 18 Mar 2024 15:03:04 +0700
Subject: [PATCH 1/3] CID 337232 sanity check on tainted scalar

---
 src/quic.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/quic.c b/src/quic.c
index 02622a7e4..f9e3b4c57 100644
--- a/src/quic.c
+++ b/src/quic.c
@@ -129,6 +129,13 @@ static int quic_record_append(WOLFSSL *ssl, QuicRecord *qr, const uint8_t *data,
         consumed = missing;
 
         qr->len = qr_length(qr->data, qr->end);
+
+        /* sanity check on length read from wire before use */
+        if (qr->len > (len + qr->capacity)) {
+            ret = BUFFER_E;
+            goto cleanup;
+        }
+
         if (qr->len > qr->capacity) {
             uint8_t *ndata = (uint8_t*)XREALLOC(qr->data, qr->len, ssl->heap,
                                                 DYNAMIC_TYPE_TMP_BUFFER);

From 44f3e4a3b73b5faaa22af498a31c6a923b683e61 Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Mon, 18 Mar 2024 16:04:37 +0700
Subject: [PATCH 2/3] CID 337219 allocation using untrusted size

---
 src/quic.c     | 8 +++++++-
 wolfssl/quic.h | 9 +++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/quic.c b/src/quic.c
index f9e3b4c57..66f866a48 100644
--- a/src/quic.c
+++ b/src/quic.c
@@ -83,6 +83,11 @@ static QuicRecord *quic_record_make(WOLFSSL *ssl,
         }
         else {
             qr->capacity = qr->len = qr_length(data, len);
+            if (qr->capacity > WOLFSSL_QUIC_MAX_RECORD_CAPACITY) {
+                WOLFSSL_MSG("QUIC length read larger than expected");
+                quic_record_free(ssl, qr);
+                return NULL;
+            }
         }
         if (qr->capacity == 0) {
             qr->capacity = 2*1024;
@@ -131,7 +136,8 @@ static int quic_record_append(WOLFSSL *ssl, QuicRecord *qr, const uint8_t *data,
         qr->len = qr_length(qr->data, qr->end);
 
         /* sanity check on length read from wire before use */
-        if (qr->len > (len + qr->capacity)) {
+        if (qr->len > WOLFSSL_QUIC_MAX_RECORD_CAPACITY) {
+            WOLFSSL_MSG("Length read for quic is larger than expected");
             ret = BUFFER_E;
             goto cleanup;
         }
diff --git a/wolfssl/quic.h b/wolfssl/quic.h
index 8e173a0fd..66a44d65c 100644
--- a/wolfssl/quic.h
+++ b/wolfssl/quic.h
@@ -290,6 +290,15 @@ int wolfSSL_quic_hkdf(uint8_t* dest, size_t destlen,
                       const uint8_t* salt, size_t saltlen,
                       const uint8_t* info, size_t infolen);
 
+/* most common QUIC packet size as of 2022 was 1,200 bytes
+ * largest packet size listed in the RFC is 1,392 bytes
+ * this gives plenty of breathing room for capacity of records but keeps sizes
+ * read from the wire sane */
+#ifndef WOLFSSL_QUIC_MAX_RECORD_CAPACITY
+    /* 1024*1024 -- 1 MB */
+    #define WOLFSSL_QUIC_MAX_RECORD_CAPACITY 1048576
+#endif
+
 #endif /* WOLFSSL_QUIC */
 
 #ifdef __cplusplus

From dd6db025e3b51c0dccf2c0695bf80e65a9b716e4 Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Mon, 18 Mar 2024 21:13:42 +0700
Subject: [PATCH 3/3] add parenthesis around define value

---
 wolfssl/quic.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wolfssl/quic.h b/wolfssl/quic.h
index 66a44d65c..d4152423d 100644
--- a/wolfssl/quic.h
+++ b/wolfssl/quic.h
@@ -296,7 +296,7 @@ int wolfSSL_quic_hkdf(uint8_t* dest, size_t destlen,
  * read from the wire sane */
 #ifndef WOLFSSL_QUIC_MAX_RECORD_CAPACITY
     /* 1024*1024 -- 1 MB */
-    #define WOLFSSL_QUIC_MAX_RECORD_CAPACITY 1048576
+    #define WOLFSSL_QUIC_MAX_RECORD_CAPACITY (1048576)
 #endif
 
 #endif /* WOLFSSL_QUIC */