From 78abd541ec91cb6f4e2a7e9c6593bff0191a73ba Mon Sep 17 00:00:00 2001 From: Kareem Date: Mon, 6 Apr 2026 15:30:00 -0700 Subject: [PATCH] Enforce max size of responses array in SendCertificateStatus. Thanks to Zou Dikai for the report. --- src/internal.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/internal.c b/src/internal.c index a061851669..4bbb22ceba 100644 --- a/src/internal.c +++ b/src/internal.c @@ -25925,6 +25925,10 @@ int SendCertificateStatus(WOLFSSL* ssl) if (idx > chain->length) break; + if ((i + 1) >= MAX_CERT_EXTENSIONS) { + ret = MAX_CERT_EXTENSIONS_ERR; + break; + } ret = CreateOcspRequest(ssl, request, cert, der.buffer, der.length, &ctxOwnsRequest); if (ret == 0) { @@ -25953,6 +25957,11 @@ int SendCertificateStatus(WOLFSSL* ssl) else { while (ret == 0 && NULL != (request = ssl->ctx->chainOcspRequest[i])) { + if ((i + 1) >= MAX_CERT_EXTENSIONS) { + ret = MAX_CERT_EXTENSIONS_ERR; + break; + } + request->ssl = ssl; ret = CheckOcspRequest(SSL_CM(ssl)->ocsp_stapling, request, &responses[++i], ssl->heap);