From cece804621c454df42a12c377c17faf2b803c413 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Frauenschl=C3=A4ger?= Date: Wed, 1 Apr 2026 15:18:20 +0200 Subject: [PATCH] Cap DTLS1.3 max ACK records to prevent overflow Reported by: Nicholas Carlini --- src/dtls13.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/src/dtls13.c b/src/dtls13.c index 6f0fda11cd..4718036706 100644 --- a/src/dtls13.c +++ b/src/dtls13.c @@ -720,9 +720,14 @@ static Dtls13RecordNumber* Dtls13NewRecordNumber(w64wrapper epoch, return rn; } +#ifndef DTLS13_MAX_ACK_RECORDS +#define DTLS13_MAX_ACK_RECORDS 512 +#endif + int Dtls13RtxAddAck(WOLFSSL* ssl, w64wrapper epoch, w64wrapper seq) { Dtls13RecordNumber* rn; + int count; WOLFSSL_ENTER("Dtls13RtxAddAck"); @@ -741,7 +746,9 @@ int Dtls13RtxAddAck(WOLFSSL* ssl, w64wrapper epoch, w64wrapper seq) return 0; /* list full, silently drop */ } + count = 0; for (; cur != NULL; prevNext = &cur->next, cur = cur->next) { + count++; if (w64Equal(cur->epoch, epoch) && w64Equal(cur->seq, seq)) { /* already in list. no duplicates. */ #ifdef WOLFSSL_RW_THREADED @@ -756,6 +763,16 @@ int Dtls13RtxAddAck(WOLFSSL* ssl, w64wrapper epoch, w64wrapper seq) } } + /* Cap the ACK list to prevent word16 overflow in + * Dtls13GetAckListLength and bound memory consumption */ + if (count >= DTLS13_MAX_ACK_RECORDS) { + WOLFSSL_MSG("DTLS 1.3 ACK list full, dropping record"); + #ifdef WOLFSSL_RW_THREADED + wc_UnLockMutex(&ssl->dtls13Rtx.mutex); + #endif + return 0; + } + rn = Dtls13NewRecordNumber(epoch, seq, ssl->heap); if (rn == NULL) { #ifdef WOLFSSL_RW_THREADED