From 804081e7c262546b2f2ef1e592d1d50aa76a6194 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Tue, 20 Sep 2022 09:29:13 +0200 Subject: [PATCH 1/2] fix: GetDtls13RecordHeader:requires correct minimum size --- src/dtls13.c | 2 -- src/internal.c | 15 +++++++-------- wolfssl/internal.h | 3 +++ 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/src/dtls13.c b/src/dtls13.c index 2b9d1edaa..d1389ded2 100644 --- a/src/dtls13.c +++ b/src/dtls13.c @@ -90,8 +90,6 @@ typedef struct Dtls13RecordPlaintextHeader { /* size of the len field in the unified header */ #define DTLS13_LEN_SIZE 2 -/* size of the mask used to encrypt/decrypt Record Number */ -#define DTLS13_RN_MASK_SIZE 16 /* size of the flags in the unified header */ #define DTLS13_HDR_FLAGS_SIZE 1 /* size of the sequence number wher SEQ_LEN_BIT is present */ diff --git a/src/internal.c b/src/internal.c index 2e746ecdc..15cf3b743 100644 --- a/src/internal.c +++ b/src/internal.c @@ -10176,13 +10176,15 @@ static int GetDtls13RecordHeader(WOLFSSL* ssl, word32* inOutIdx, if (ret != 0) return ret; - if (readSize < ssl->dtls13CurRlLength) { + if (readSize < ssl->dtls13CurRlLength + DTLS13_RN_MASK_SIZE) { /* when using DTLS over a medium that does not guarantee that a full * message is received in a single read, we may end up without the full - * header */ - ret = GetInputData(ssl, ssl->dtls13CurRlLength - readSize); + * header and minimum ciphertext to decrypt record sequence numbers */ + ret = GetInputData(ssl, ssl->dtls13CurRlLength + DTLS13_RN_MASK_SIZE); if (ret != 0) return ret; + + readSize = ssl->buffers.inputBuffer.length - *inOutIdx; } ret = Dtls13ParseUnifiedRecordLayer(ssl, @@ -10234,11 +10236,8 @@ static int GetDtlsRecordHeader(WOLFSSL* ssl, word32* inOutIdx, #endif #ifdef WOLFSSL_DTLS13 - word32 read_size; int ret; - read_size = ssl->buffers.inputBuffer.length - *inOutIdx; - if (Dtls13IsUnifiedHeader(*(ssl->buffers.inputBuffer.buffer + *inOutIdx))) { /* version 1.3 already negotiated */ @@ -10263,8 +10262,8 @@ static int GetDtlsRecordHeader(WOLFSSL* ssl, word32* inOutIdx, /* not a unified header, check that we have at least * DTLS_RECORD_HEADER_SZ */ - if (read_size < DTLS_RECORD_HEADER_SZ) { - ret = GetInputData(ssl, DTLS_RECORD_HEADER_SZ - read_size); + if (ssl->buffers.inputBuffer.length - *inOutIdx < DTLS_RECORD_HEADER_SZ) { + ret = GetInputData(ssl, DTLS_RECORD_HEADER_SZ); if (ret != 0) return LENGTH_ERROR; } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index d5451b752..a73676e72 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -4640,6 +4640,9 @@ typedef enum EarlyDataState { #ifdef WOLFSSL_DTLS13 +/* size of the mask used to encrypt/decrypt Record Number */ +#define DTLS13_RN_MASK_SIZE 16 + typedef struct Dtls13UnifiedHdrInfo { word16 recordLength; byte seqLo; From 400d3c696370e6d6c1812b704987b85ed249b2fc Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Tue, 20 Sep 2022 09:30:30 +0200 Subject: [PATCH 2/2] dtls13: Dtls13ParseUnifiedRecordLayer: add overflow check --- src/dtls13.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/dtls13.c b/src/dtls13.c index d1389ded2..09c04c486 100644 --- a/src/dtls13.c +++ b/src/dtls13.c @@ -1362,6 +1362,8 @@ int Dtls13ParseUnifiedRecordLayer(WOLFSSL* ssl, const byte* input, to create record number xor mask). (draft 43 - Sec 4.2.3) */ if (hdrInfo->recordLength < DTLS13_RN_MASK_SIZE) return LENGTH_ERROR; + if (inputSize < idx + DTLS13_RN_MASK_SIZE) + return BUFFER_ERROR; ret = Dtls13EncryptDecryptRecordNumber(ssl, seqNum, seqLen, input + idx, DEPROTECT);