diff --git a/src/internal.c b/src/internal.c index 6dc0cbe2d1..a32fc042d6 100644 --- a/src/internal.c +++ b/src/internal.c @@ -33943,7 +33943,8 @@ int SendClientKeyExchange(WOLFSSL* ssl) /* Ensure the buffer is null-terminated. */ ssl->arrays->client_identity[MAX_PSK_ID_LEN] = '\0'; args->encSz = (word32)XSTRLEN(ssl->arrays->client_identity); - if (args->encSz > MAX_PSK_ID_LEN) { + if (args->encSz > MAX_PSK_ID_LEN || + args->encSz > MAX_ENCRYPT_SZ) { ERROR_OUT(CLIENT_ID_ERROR, exit_scke); } XMEMCPY(args->encSecret, ssl->arrays->client_identity, @@ -33974,6 +33975,9 @@ int SendClientKeyExchange(WOLFSSL* ssl) if (esSz > MAX_PSK_ID_LEN) { ERROR_OUT(CLIENT_ID_ERROR, exit_scke); } + if (esSz > MAX_ENCRYPT_SZ - (2 * OPAQUE16_LEN)) { + ERROR_OUT(CLIENT_ID_ERROR, exit_scke); + } /* CLIENT: Pre-shared Key for peer authentication. */ ssl->options.peerAuthGood = 1; @@ -33988,7 +33992,7 @@ int SendClientKeyExchange(WOLFSSL* ssl) args->output += OPAQUE16_LEN; XMEMCPY(args->output, ssl->arrays->client_identity, esSz); args->output += esSz; - args->length = args->encSz - esSz - OPAQUE16_LEN; + args->length = args->encSz - esSz - (2 * OPAQUE16_LEN); args->encSz = esSz + OPAQUE16_LEN; CHECK_RET(ret, AllocKey(ssl, DYNAMIC_TYPE_DH, @@ -34025,6 +34029,9 @@ int SendClientKeyExchange(WOLFSSL* ssl) if (esSz > MAX_PSK_ID_LEN) { ERROR_OUT(CLIENT_ID_ERROR, exit_scke); } + if (esSz > MAX_ENCRYPT_SZ - OPAQUE16_LEN - OPAQUE8_LEN) { + ERROR_OUT(CLIENT_ID_ERROR, exit_scke); + } /* CLIENT: Pre-shared Key for peer authentication. */ ssl->options.peerAuthGood = 1; @@ -34033,10 +34040,10 @@ int SendClientKeyExchange(WOLFSSL* ssl) args->output += OPAQUE16_LEN; XMEMCPY(args->output, ssl->arrays->client_identity, esSz); args->output += esSz; - args->encSz = esSz + OPAQUE16_LEN; - /* length is used for public key size */ - args->length = MAX_ENCRYPT_SZ; + args->length = + args->encSz - esSz - OPAQUE16_LEN - OPAQUE8_LEN; + args->encSz = esSz + OPAQUE16_LEN; /* Create shared ECC key leaving room at the beginning * of buffer for size of shared key. */ diff --git a/src/tls13.c b/src/tls13.c index 65378db744..a6f593ebfe 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -5375,7 +5375,8 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, /* Session id */ args->sessIdSz = input[args->idx++]; - if ((args->idx - args->begin) + args->sessIdSz > helloSz) + if (args->sessIdSz > ID_LEN || args->sessIdSz > RAN_LEN || + ((args->idx - args->begin) + args->sessIdSz > helloSz)) return BUFFER_ERROR; args->sessId = input + args->idx; args->idx += args->sessIdSz;