From 19b99f8072f6faf34350a2d52cc3eebfaa4fd699 Mon Sep 17 00:00:00 2001 From: Kareem Date: Tue, 10 Mar 2026 16:02:59 -0700 Subject: [PATCH] Ensure the length computed by CheckHeaders in the SSL sniffer does not exceed the actual size of the packets. Thanks to Haruto Kimura (Stella) for the report. --- src/sniffer.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/sniffer.c b/src/sniffer.c index 9b07b4ef94..2a1e8b03ed 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -5520,6 +5520,12 @@ static int CheckHeaders(IpInfo* ipInfo, TcpInfo* tcpInfo, const byte* packet, * data after the IP record for the FCS for Ethernet. */ *sslBytes = (int)(packet + ipInfo->total - *sslFrame); + /* Ensure sslBytes does not exceed the actual size. */ + if (*sslBytes > (int)(length - (*sslFrame - packet))) { + SetError(PACKET_HDR_SHORT_STR, error, NULL, 0); + return WOLFSSL_FATAL_ERROR; + } + (void)checkReg; return 0;