sanity check on input length before secure renegotiation compare

2025-07-30 18:57:27 +02:00 · 2020-04-07 10:10:03 -06:00
parent 9a1687d00e
commit 1ce0268477
1 changed files with 15 additions and 9 deletions
--- a/src/tls.c
+++ b/src/tls.c
@ -4788,18 +4788,24 @@ static int TLSX_SecureRenegotiation_Parse(WOLFSSL* ssl, byte* input,
                }
            }
            else if (*input == TLS_FINISHED_SZ) {
-                input++; /* get past size */
+                if (length < TLS_FINISHED_SZ + 1) {
                    WOLFSSL_MSG("SCR malformed buffer");
                    ret = BUFFER_E;
                }
                else {
                    input++; /* get past size */
-                /* validate client verify data */
+                    /* validate client verify data */
-                if (XMEMCMP(input,
+                    if (XMEMCMP(input,
                            ssl->secure_renegotiation->client_verify_data,
                            TLS_FINISHED_SZ) == 0) {
-                    WOLFSSL_MSG("SCR client verify data match");
+                        WOLFSSL_MSG("SCR client verify data match");
-                    TLSX_SetResponse(ssl, TLSX_RENEGOTIATION_INFO);
+                        TLSX_SetResponse(ssl, TLSX_RENEGOTIATION_INFO);
-                    ret = 0;  /* verified */
+                        ret = 0;  /* verified */
-                } else {
+                    } else {
-                    /* already in error state */
+                        /* already in error state */
-                    WOLFSSL_MSG("SCR client verify data Failure");
+                        WOLFSSL_MSG("SCR client verify data Failure");
                    }
                }
            }
        #endif