fix for infinite loop with CSR2

2019-09-30 21:32:25 +07:00
parent 43476e80d4
commit e7c2892579
1 changed files with 6 additions and 2 deletions
--- a/src/tls.c
+++ b/src/tls.c
@ -3455,15 +3455,19 @@ static int TLSX_CSR2_Parse(WOLFSSL* ssl, byte* input, word16 length,
                        return BUFFER_ERROR;

                    ato16(input + offset, &size);
-                    offset += OPAQUE16_LEN + size;
+                    if (length - offset < size)
+                        return BUFFER_ERROR;

+                    offset += OPAQUE16_LEN + size;
                    /* skip request_extensions */
                    if (length - offset < OPAQUE16_LEN)
                        return BUFFER_ERROR;

                    ato16(input + offset, &size);
-                    offset += OPAQUE16_LEN + size;
+                    if (length - offset < size)
+                        return BUFFER_ERROR;

+                    offset += OPAQUE16_LEN + size;
                    if (offset > length)
                        return BUFFER_ERROR;