Guard against unsigned underflow in inputLength calculation

Add bounds check before computing inputLength from curStartIdx + curSize
to prevent unsigned underflow if *inOutIdx ever exceeds the record
content boundary.
This commit is contained in:
Juliusz Sosinowicz
2026-04-08 14:07:30 +00:00
parent 38bd87591f
commit b88eb32c1d
2 changed files with 4 additions and 0 deletions
+2
View File
@@ -19088,6 +19088,8 @@ static int DoHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
/* curSize has already been reduced to content-only (padSz subtracted)
* in ProcessReply, so curStartIdx + curSize bounds the content. */
if (*inOutIdx > (word32)ssl->curStartIdx + ssl->curSize)
return BUFFER_ERROR;
inputLength = ssl->curStartIdx + ssl->curSize - *inOutIdx;
/* If there is a pending fragmented handshake message,
+2
View File
@@ -13936,6 +13936,8 @@ int DoTls13HandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
/* curSize has already been reduced to content-only (padSz subtracted)
* in ProcessReply, so curStartIdx + curSize bounds the content. */
if (*inOutIdx > (word32)ssl->curStartIdx + ssl->curSize)
return BUFFER_ERROR;
inputLength = ssl->curStartIdx + ssl->curSize - *inOutIdx;
/* If there is a pending fragmented handshake message,