F-5728 - Guard ServerHello extension header read and length underflow in sniffer

This commit is contained in:
aidan garske
2026-06-25 14:26:49 -07:00
parent 5572db7f3b
commit 8e87bcbc3e
+14
View File
@@ -3814,6 +3814,13 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
word16 extType;
word16 extLen;
/* make sure can read extension type and length */
if (*sslBytes < EXT_TYPE_SZ + LENGTH_SZ) {
SetError(SERVER_HELLO_INPUT_STR, error, session,
FATAL_ERROR_STATE);
return WOLFSSL_FATAL_ERROR;
}
extType = (word16)((input[0] << 8) | input[1]);
input += EXT_TYPE_SZ;
*sslBytes -= EXT_TYPE_SZ;
@@ -3905,6 +3912,13 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
break;
} /* switch (extType) */
/* make sure the extension fits in the remaining declared length */
if ((word16)(extLen + EXT_TYPE_SZ + LENGTH_SZ) > len) {
SetError(SERVER_HELLO_INPUT_STR, error, session,
FATAL_ERROR_STATE);
return WOLFSSL_FATAL_ERROR;
}
input += extLen;
*sslBytes -= extLen;
len -= extLen + EXT_TYPE_SZ + LENGTH_SZ;