Merge pull request #5614 from rizlik/oobread

Fix: parsing oob read in dtls1.3
2025-08-04 13:14:45 +02:00 · 2022-09-21 10:08:32 -07:00
parent 2bf583aa57 400d3c6963
commit 680182cab5
3 changed files with 12 additions and 10 deletions
--- a/src/dtls13.c
+++ b/src/dtls13.c
@@ -90,8 +90,6 @@ typedef struct Dtls13RecordPlaintextHeader {

 /* size of the len field in the unified header */
 #define DTLS13_LEN_SIZE 2
-/* size of the mask used to encrypt/decrypt Record Number  */
-#define DTLS13_RN_MASK_SIZE 16
 /* size of the flags in the unified header */
 #define DTLS13_HDR_FLAGS_SIZE 1
 /* size of the sequence number wher SEQ_LEN_BIT is present */
@@ -1364,6 +1362,8 @@ int Dtls13ParseUnifiedRecordLayer(WOLFSSL* ssl, const byte* input,
       to create record number xor mask). (draft 43 - Sec 4.2.3) */
    if (hdrInfo->recordLength < DTLS13_RN_MASK_SIZE)
        return LENGTH_ERROR;
+    if (inputSize < idx + DTLS13_RN_MASK_SIZE)
+        return BUFFER_ERROR;

    ret = Dtls13EncryptDecryptRecordNumber(ssl, seqNum, seqLen, input + idx,
        DEPROTECT);
--- a/src/internal.c
+++ b/src/internal.c
@@ -10176,13 +10176,15 @@ static int GetDtls13RecordHeader(WOLFSSL* ssl, word32* inOutIdx,
    if (ret != 0)
        return ret;

-    if (readSize < ssl->dtls13CurRlLength) {
+    if (readSize < ssl->dtls13CurRlLength + DTLS13_RN_MASK_SIZE) {
        /* when using DTLS over a medium that does not guarantee that a full
         * message is received in a single read, we may end up without the full
-         * header */
-        ret = GetInputData(ssl, ssl->dtls13CurRlLength - readSize);
+         * header and minimum ciphertext to decrypt record sequence numbers */
+        ret = GetInputData(ssl, ssl->dtls13CurRlLength + DTLS13_RN_MASK_SIZE);
        if (ret != 0)
            return ret;
+
+        readSize = ssl->buffers.inputBuffer.length - *inOutIdx;
    }

    ret = Dtls13ParseUnifiedRecordLayer(ssl,
@@ -10234,11 +10236,8 @@ static int GetDtlsRecordHeader(WOLFSSL* ssl, word32* inOutIdx,
 #endif

 #ifdef WOLFSSL_DTLS13
-    word32 read_size;
    int ret;

-    read_size = ssl->buffers.inputBuffer.length - *inOutIdx;
-
    if (Dtls13IsUnifiedHeader(*(ssl->buffers.inputBuffer.buffer + *inOutIdx))) {

        /* version 1.3 already negotiated */
@@ -10263,8 +10262,8 @@ static int GetDtlsRecordHeader(WOLFSSL* ssl, word32* inOutIdx,

    /* not a unified header, check that we have at least
     * DTLS_RECORD_HEADER_SZ */
-    if (read_size < DTLS_RECORD_HEADER_SZ) {
-        ret = GetInputData(ssl, DTLS_RECORD_HEADER_SZ - read_size);
+    if (ssl->buffers.inputBuffer.length - *inOutIdx < DTLS_RECORD_HEADER_SZ) {
+        ret = GetInputData(ssl, DTLS_RECORD_HEADER_SZ);
        if (ret != 0)
            return LENGTH_ERROR;
    }
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -4640,6 +4640,9 @@ typedef enum EarlyDataState {

 #ifdef WOLFSSL_DTLS13

+/* size of the mask used to encrypt/decrypt Record Number  */
+#define DTLS13_RN_MASK_SIZE 16
+
 typedef struct Dtls13UnifiedHdrInfo {
    word16 recordLength;
    byte seqLo;