From 679d04d201011eb0359f8d2929491194b97960d7 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 6 Mar 2026 09:05:53 +0100 Subject: [PATCH] Add bounds check on read in sniffer --- src/sniffer.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/sniffer.c b/src/sniffer.c index 9c6949e4ca..ee5c2944fa 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -4260,12 +4260,20 @@ static int ProcessClientHello(const byte* input, int* sslBytes, idx += idLen; /* Obfuscated Ticket Age 32-bits */ + if (idx + OPAQUE32_LEN > extLen) { + SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE); + return WOLFSSL_FATAL_ERROR; + } ticketAge = (word32)((input[idx] << 24) | (input[idx+1] << 16) | (input[idx+2] << 8) | input[idx+3]); (void)ticketAge; /* not used */ idx += OPAQUE32_LEN; /* binders - all binders */ + if (idx + OPAQUE16_LEN > extLen) { + SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE); + return WOLFSSL_FATAL_ERROR; + } bindersLen = (word16)((input[idx] << 8) | input[idx+1]); if (bindersLen + OPAQUE16_LEN + idx > extLen) { SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);