From 7ca965ab9f972e79a939d7bfb8bc8b8fc30bb0ee Mon Sep 17 00:00:00 2001 From: aidan garske Date: Thu, 25 Jun 2026 14:26:35 -0700 Subject: [PATCH] F-5246 - Check IPv6 extension header fits before dereference in sniffer --- src/sniffer.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/sniffer.c b/src/sniffer.c index 256e9b24fc..b2a2bd04ef 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -2138,7 +2138,13 @@ static int CheckIp6Hdr(Ip6Hdr* iphdr, IpInfo* info, int length, char* error) if (iphdr->next_header != TCP_PROTOCOL) { Ip6ExtHdr* exthdr = (Ip6ExtHdr*)((byte*)iphdr + IP6_HDR_SZ); do { - int hdrsz = (exthdr->length + 1) * 8; + int hdrsz; + /* make sure the extension header is fully present before reading */ + if (length - exthdrsz < (int)sizeof(Ip6ExtHdr)) { + SetError(PACKET_HDR_SHORT_STR, error, NULL, 0); + return WOLFSSL_FATAL_ERROR; + } + hdrsz = (exthdr->length + 1) * 8; if (hdrsz > length - exthdrsz) { SetError(PACKET_HDR_SHORT_STR, error, NULL, 0); return WOLFSSL_FATAL_ERROR;