F-4809 - Guard ClientHello extension header read and length underflow in sniffer

This commit is contained in:
aidan garske
2026-06-25 14:26:54 -07:00
parent 8e87bcbc3e
commit 0b0df686c3
+12
View File
@@ -4199,6 +4199,12 @@ static int ProcessClientHello(const byte* input, int* sslBytes,
word16 extType;
word16 extLen;
/* make sure can read extension type and length */
if (*sslBytes < EXT_TYPE_SZ + LENGTH_SZ) {
SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
return WOLFSSL_FATAL_ERROR;
}
extType = (word16)((input[0] << 8) | input[1]);
input += EXT_TYPE_SZ;
*sslBytes -= EXT_TYPE_SZ;
@@ -4386,6 +4392,12 @@ static int ProcessClientHello(const byte* input, int* sslBytes,
break;
}
/* make sure the extension fits in the remaining declared length */
if ((word16)(extLen + EXT_TYPE_SZ + LENGTH_SZ) > len) {
SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
return WOLFSSL_FATAL_ERROR;
}
input += extLen;
*sslBytes -= extLen;
len -= extLen + EXT_TYPE_SZ + LENGTH_SZ;