From 535aaf2325356d517acb761cf81e7bd33ed6dbc4 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 15 Apr 2026 14:43:26 +0200 Subject: [PATCH] tls: fix TLSX_TCA_GetSize word16 overflow (F-2131) Mirror the TLSX_SNI_GetSize pattern: accumulate into a word32 and return 0 when the aggregate size exceeds WOLFSSL_MAX_16BIT so large idSz values or many TCA entries no longer silently wrap to a small value that undersizes the TLSX_TCA_Write output buffer. --- src/tls.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/src/tls.c b/src/tls.c index dde6a335a9..e94634f149 100644 --- a/src/tls.c +++ b/src/tls.c @@ -2961,7 +2961,7 @@ static void TLSX_TCA_FreeAll(TCA* list, void* heap) static word16 TLSX_TCA_GetSize(TCA* list) { TCA* tca; - word16 length = OPAQUE16_LEN; /* list length */ + word32 length = OPAQUE16_LEN; /* list length */ while ((tca = list)) { list = tca->next; @@ -2979,9 +2979,13 @@ static word16 TLSX_TCA_GetSize(TCA* list) length += OPAQUE16_LEN + tca->idSz; break; } + + if (length > WOLFSSL_MAX_16BIT) { + return 0; + } } - return length; + return (word16)length; } /** Writes the TCA objects of a list in a buffer. */ @@ -14941,8 +14945,15 @@ static int TLSX_GetSize(TLSX* list, byte* semaphore, byte msgType, case TLSX_TRUSTED_CA_KEYS: /* TCA only sends the list on the request. */ - if (isRequest) - length += TCA_GET_SIZE((TCA*)extension->data); + if (isRequest) { + word16 tcaSz = TCA_GET_SIZE((TCA*)extension->data); + /* 0 on non-empty list means 16-bit overflow. */ + if (tcaSz == 0 && extension->data != NULL) { + ret = LENGTH_ERROR; + break; + } + length += tcaSz; + } break; case TLSX_MAX_FRAGMENT_LENGTH: