From 0b0df686c3465a73ee644c6fbe316d7f9a090ade Mon Sep 17 00:00:00 2001 From: aidan garske Date: Thu, 25 Jun 2026 14:26:54 -0700 Subject: [PATCH] F-4809 - Guard ClientHello extension header read and length underflow in sniffer --- src/sniffer.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/sniffer.c b/src/sniffer.c index c1c88d9c7a..26dc257977 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -4199,6 +4199,12 @@ static int ProcessClientHello(const byte* input, int* sslBytes, word16 extType; word16 extLen; + /* make sure can read extension type and length */ + if (*sslBytes < EXT_TYPE_SZ + LENGTH_SZ) { + SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE); + return WOLFSSL_FATAL_ERROR; + } + extType = (word16)((input[0] << 8) | input[1]); input += EXT_TYPE_SZ; *sslBytes -= EXT_TYPE_SZ; @@ -4386,6 +4392,12 @@ static int ProcessClientHello(const byte* input, int* sslBytes, break; } + /* make sure the extension fits in the remaining declared length */ + if ((word16)(extLen + EXT_TYPE_SZ + LENGTH_SZ) > len) { + SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE); + return WOLFSSL_FATAL_ERROR; + } + input += extLen; *sslBytes -= extLen; len -= extLen + EXT_TYPE_SZ + LENGTH_SZ;