mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-10 08:40:48 +02:00
F-5728 - Guard ServerHello extension header read and length underflow in sniffer
This commit is contained in:
@@ -3814,6 +3814,13 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
|
||||
word16 extType;
|
||||
word16 extLen;
|
||||
|
||||
/* make sure can read extension type and length */
|
||||
if (*sslBytes < EXT_TYPE_SZ + LENGTH_SZ) {
|
||||
SetError(SERVER_HELLO_INPUT_STR, error, session,
|
||||
FATAL_ERROR_STATE);
|
||||
return WOLFSSL_FATAL_ERROR;
|
||||
}
|
||||
|
||||
extType = (word16)((input[0] << 8) | input[1]);
|
||||
input += EXT_TYPE_SZ;
|
||||
*sslBytes -= EXT_TYPE_SZ;
|
||||
@@ -3905,6 +3912,13 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
|
||||
break;
|
||||
} /* switch (extType) */
|
||||
|
||||
/* make sure the extension fits in the remaining declared length */
|
||||
if ((word16)(extLen + EXT_TYPE_SZ + LENGTH_SZ) > len) {
|
||||
SetError(SERVER_HELLO_INPUT_STR, error, session,
|
||||
FATAL_ERROR_STATE);
|
||||
return WOLFSSL_FATAL_ERROR;
|
||||
}
|
||||
|
||||
input += extLen;
|
||||
*sslBytes -= extLen;
|
||||
len -= extLen + EXT_TYPE_SZ + LENGTH_SZ;
|
||||
|
||||
Reference in New Issue
Block a user