Fix for possible use of invalid *sslFrame and calculated headerSz in partial case with WOLFSSL_SNIFFER_CHAIN_INPUT.

2025-07-30 10:47:28 +02:00 · 2021-04-15 09:01:11 -07:00
parent d34161e482
commit 64c7830c93
1 changed files with 35 additions and 35 deletions
--- a/src/sniffer.c
+++ b/src/sniffer.c
@ -4883,46 +4883,46 @@ static int CheckPreRecord(IpInfo* ipInfo, TcpInfo* tcpInfo,
            *sslFrame = ssl->buffers.inputBuffer.buffer;
            *end = *sslFrame + *sslBytes;
        }
    }
-    if (vChain != NULL) {
+        if (vChain != NULL) {
-#ifdef WOLFSSL_SNIFFER_CHAIN_INPUT
+    #ifdef WOLFSSL_SNIFFER_CHAIN_INPUT
-        struct iovec* chain = (struct iovec*)vChain;
+            struct iovec* chain = (struct iovec*)vChain;
-        word32 i, offset, headerSz, qty, remainder;
+            word32 i, offset, headerSz, qty, remainder;
-        Trace(CHAIN_INPUT_STR);
+            Trace(CHAIN_INPUT_STR);
-        headerSz = (word32)((const byte*)*sslFrame - (const byte*)chain[0].iov_base);
+            headerSz = (word32)((const byte*)*sslFrame - (const byte*)chain[0].iov_base);
-        remainder = *sslBytes;
+            remainder = *sslBytes;
-        if ( (*sslBytes + length) > ssl->buffers.inputBuffer.bufferSize) {
+            if ( (*sslBytes + length) > ssl->buffers.inputBuffer.bufferSize) {
-            if (GrowInputBuffer(ssl, *sslBytes, length) < 0) {
+                if (GrowInputBuffer(ssl, *sslBytes, length) < 0) {
-                SetError(MEMORY_STR, error, *session, FATAL_ERROR_STATE);
+                    SetError(MEMORY_STR, error, *session, FATAL_ERROR_STATE);
-                return -1;
+                    return -1;
                }
            }
            qty = min(*sslBytes, (word32)chain[0].iov_len - headerSz);
            XMEMCPY(&ssl->buffers.inputBuffer.buffer[length],
                (byte*)chain[0].iov_base + headerSz, qty);
            offset = length;
            for (i = 1; i < chainSz; i++) {
                offset += qty;
                remainder -= qty;
                if (chain[i].iov_len > remainder)
                    qty = remainder;
                else
                    qty = (word32)chain[i].iov_len;
                XMEMCPY(ssl->buffers.inputBuffer.buffer + offset,
                        chain[i].iov_base, qty);
            }
            *sslBytes += length;
            ssl->buffers.inputBuffer.length = *sslBytes;
            *sslFrame = ssl->buffers.inputBuffer.buffer;
            *end = *sslFrame + *sslBytes;
    #endif
            (void)chainSz;
        }
        qty = min(*sslBytes, (word32)chain[0].iov_len - headerSz);
        XMEMCPY(&ssl->buffers.inputBuffer.buffer[length],
               (byte*)chain[0].iov_base + headerSz, qty);
        offset = length;
        for (i = 1; i < chainSz; i++) {
            offset += qty;
            remainder -= qty;
            if (chain[i].iov_len > remainder)
                qty = remainder;
            else
                qty = (word32)chain[i].iov_len;
            XMEMCPY(ssl->buffers.inputBuffer.buffer + offset,
                    chain[i].iov_base, qty);
        }
        *sslBytes += length;
        ssl->buffers.inputBuffer.length = *sslBytes;
        *sslFrame = ssl->buffers.inputBuffer.buffer;
        *end = *sslFrame + *sslBytes;
 #endif
        (void)chainSz;
    }
    if ((*session)->flags.clientHello == 0 && **sslFrame != handshake) {