mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 15:50:51 +02:00
Guard against unsigned underflow in inputLength calculation
Add bounds check before computing inputLength from curStartIdx + curSize to prevent unsigned underflow if *inOutIdx ever exceeds the record content boundary.
This commit is contained in:
@@ -19088,6 +19088,8 @@ static int DoHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
|
||||
/* curSize has already been reduced to content-only (padSz subtracted)
|
||||
* in ProcessReply, so curStartIdx + curSize bounds the content. */
|
||||
if (*inOutIdx > (word32)ssl->curStartIdx + ssl->curSize)
|
||||
return BUFFER_ERROR;
|
||||
inputLength = ssl->curStartIdx + ssl->curSize - *inOutIdx;
|
||||
|
||||
/* If there is a pending fragmented handshake message,
|
||||
|
||||
@@ -13936,6 +13936,8 @@ int DoTls13HandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
|
||||
/* curSize has already been reduced to content-only (padSz subtracted)
|
||||
* in ProcessReply, so curStartIdx + curSize bounds the content. */
|
||||
if (*inOutIdx > (word32)ssl->curStartIdx + ssl->curSize)
|
||||
return BUFFER_ERROR;
|
||||
inputLength = ssl->curStartIdx + ssl->curSize - *inOutIdx;
|
||||
|
||||
/* If there is a pending fragmented handshake message,
|
||||
|
||||
Reference in New Issue
Block a user