tls: fix TLSX_ALPN_GetSize word16 overflow (F-2128)

Match the TLSX_SNI_GetSize pattern: use a word32 accumulator and return
0 if the aggregate size exceeds WOLFSSL_MAX_16BIT, so a large number of
ALPN entries can no longer silently wrap the length computation.
This commit is contained in:
Juliusz Sosinowicz
2026-04-15 14:43:05 +02:00
parent 6074a2dbe8
commit 646ff6dde4
+16 -5
View File
@@ -1822,16 +1822,20 @@ static void TLSX_ALPN_FreeAll(ALPN *list, void* heap)
static word16 TLSX_ALPN_GetSize(ALPN *list)
{
ALPN* alpn;
word16 length = OPAQUE16_LEN; /* list length */
word32 length = OPAQUE16_LEN; /* list length */
while ((alpn = list)) {
list = alpn->next;
length++; /* protocol name length is on one byte */
length += (word16)XSTRLEN(alpn->protocol_name);
length += (word32)XSTRLEN(alpn->protocol_name);
if (length > WOLFSSL_MAX_16BIT) {
return 0;
}
}
return length;
return (word16)length;
}
/** Writes the ALPN objects of a list in a buffer. */
@@ -14979,9 +14983,16 @@ static int TLSX_GetSize(TLSX* list, byte* semaphore, byte msgType,
isRequest);
break;
case TLSX_APPLICATION_LAYER_PROTOCOL:
length += ALPN_GET_SIZE((ALPN*)extension->data);
case TLSX_APPLICATION_LAYER_PROTOCOL: {
word16 alpnSz = ALPN_GET_SIZE((ALPN*)extension->data);
/* 0 on non-empty list means 16-bit overflow. */
if (alpnSz == 0 && extension->data != NULL) {
ret = LENGTH_ERROR;
break;
}
length += alpnSz;
break;
}
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
case TLSX_SIGNATURE_ALGORITHMS:
length += SA_GET_SIZE(extension->data);