From 4b0bb75909aba667bc95715a120669d605cee386 Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Tue, 16 Jul 2019 09:54:45 -0700
Subject: [PATCH] Sniffer Watch Cert Chain Part 2 1. Check the sizes picked up
 out of the message against the expected size of the record when looking at
 the certificate messages. 2. Renamed the cert and certSz in the watch
 callback with it being a certChain.

---
 src/sniffer.c                         | 22 +++++++++++++++++++---
 sslSniffer/sslSnifferTest/snifftest.c |  6 +++---
 wolfssl/sniffer_error.h               |  1 +
 wolfssl/sniffer_error.rc              |  1 +
 4 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/src/sniffer.c b/src/sniffer.c
index 4c02680ac..65c3e825c 100644
--- a/src/sniffer.c
+++ b/src/sniffer.c
@@ -253,7 +253,8 @@ static const char* const msgTable[] =
     /* 86 */
     "Watch callback not set",
     "Watch hash failed",
-    "Watch callback failed"
+    "Watch callback failed",
+    "Bad Certificate Message"
 };
 
 
@@ -2320,8 +2321,6 @@ static int ProcessCertificate(const byte* input, int* sslBytes,
     int ret;
     byte digest[SHA256_DIGEST_SIZE];
 
-    (void)sslBytes;
-
     /* If the receiver is the server, this is the client certificate message,
      * and it should be ignored at this point. */
     if (session->flags.side == WOLFSSL_SERVER_END)
@@ -2332,11 +2331,28 @@ static int ProcessCertificate(const byte* input, int* sslBytes,
         return -1;
     }
 
+    if (*sslBytes < CERT_HEADER_SZ) {
+        SetError(BAD_CERT_MSG_STR, error, session, FATAL_ERROR_STATE);
+        return -1;
+    }
     ato24(input, &certChainSz);
+    *sslBytes -= CERT_HEADER_SZ;
     input += CERT_HEADER_SZ;
+
+    if (*sslBytes < (int)certChainSz) {
+        SetError(BAD_CERT_MSG_STR, error, session, FATAL_ERROR_STATE);
+        return -1;
+    }
     certChain = input;
+
     ato24(input, &certSz);
     input += OPAQUE24_LEN;
+    if (*sslBytes < (int)certSz) {
+        SetError(BAD_CERT_MSG_STR, error, session, FATAL_ERROR_STATE);
+        return -1;
+    }
+
+    *sslBytes -= certChainSz;
 
     ret = wc_InitSha256(&sha);
     if (ret == 0)
diff --git a/sslSniffer/sslSnifferTest/snifftest.c b/sslSniffer/sslSnifferTest/snifftest.c
index e2e7495d1..69757b7e4 100644
--- a/sslSniffer/sslSnifferTest/snifftest.c
+++ b/sslSniffer/sslSnifferTest/snifftest.c
@@ -189,13 +189,13 @@ const byte eccHash[] = {
 
 static int myWatchCb(void* vSniffer,
         const unsigned char* certHash, unsigned int certHashSz,
-        const unsigned char* cert, unsigned int certSz,
+        const unsigned char* certChain, unsigned int certChainSz,
         void* ctx, char* error)
 {
     const char* certName = NULL;
 
-    (void)cert;
-    (void)certSz;
+    (void)certChain;
+    (void)certChainSz;
     (void)ctx;
 
     if (certHashSz == sizeof(rsaHash) &&
diff --git a/wolfssl/sniffer_error.h b/wolfssl/sniffer_error.h
index 844f278a0..e3bc38b78 100644
--- a/wolfssl/sniffer_error.h
+++ b/wolfssl/sniffer_error.h
@@ -124,6 +124,7 @@
 #define WATCH_CB_MISSING_STR 86
 #define WATCH_HASH_STR 87
 #define WATCH_FAIL_STR 88
+#define BAD_CERT_MSG_STR 89
 /* !!!! also add to msgTable in sniffer.c and .rc file !!!! */
 
 
diff --git a/wolfssl/sniffer_error.rc b/wolfssl/sniffer_error.rc
index 58fb365e4..336cf33e8 100644
--- a/wolfssl/sniffer_error.rc
+++ b/wolfssl/sniffer_error.rc
@@ -106,5 +106,6 @@ STRINGTABLE
     86, "Watch callback not set"
     87, "Watch hash failed"
     88, "Watch callback failed"
+    89, "Bad Certificate Message"
 }