Fix integer underflow in ECH innerClientHelloLen parsing

Add bounds check before subtracting WC_AES_BLOCK_SIZE from the
attacker-controlled innerClientHelloLen field in TLSX_ECH_Parse().
Values 0-15 caused a word16 underflow to ~65K, leading to a heap
buffer overflow write via XMEMSET and heap buffer over-read via
wc_AesGcmDecrypt. Return BAD_FUNC_ARG if the field is too small.
This commit is contained in:
Andrew Hutchings
2026-02-23 15:03:50 +00:00
parent af329b38a8
commit 10325b4587
+3
View File
@@ -13605,6 +13605,9 @@ static int TLSX_ECH_Parse(WOLFSSL* ssl, const byte* readBuf, word16 size,
}
/* read hello inner len */
ato16(readBuf_p, &ech->innerClientHelloLen);
if (ech->innerClientHelloLen < WC_AES_BLOCK_SIZE) {
return BAD_FUNC_ARG;
}
ech->innerClientHelloLen -= WC_AES_BLOCK_SIZE;
readBuf_p += 2;
ech->outerClientPayload = readBuf_p;