From 8e87bcbc3ed32544b97227d813ce13b7187694e8 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Thu, 25 Jun 2026 14:26:49 -0700 Subject: [PATCH] F-5728 - Guard ServerHello extension header read and length underflow in sniffer --- src/sniffer.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/sniffer.c b/src/sniffer.c index bb4895ead3..c1c88d9c7a 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -3814,6 +3814,13 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes, word16 extType; word16 extLen; + /* make sure can read extension type and length */ + if (*sslBytes < EXT_TYPE_SZ + LENGTH_SZ) { + SetError(SERVER_HELLO_INPUT_STR, error, session, + FATAL_ERROR_STATE); + return WOLFSSL_FATAL_ERROR; + } + extType = (word16)((input[0] << 8) | input[1]); input += EXT_TYPE_SZ; *sslBytes -= EXT_TYPE_SZ; @@ -3905,6 +3912,13 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes, break; } /* switch (extType) */ + /* make sure the extension fits in the remaining declared length */ + if ((word16)(extLen + EXT_TYPE_SZ + LENGTH_SZ) > len) { + SetError(SERVER_HELLO_INPUT_STR, error, session, + FATAL_ERROR_STATE); + return WOLFSSL_FATAL_ERROR; + } + input += extLen; *sslBytes -= extLen; len -= extLen + EXT_TYPE_SZ + LENGTH_SZ;