mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-06 16:10:52 +02:00
In SSL sniffer, ensure the ClientHello extension length is sufficient to read the length before attempting the actual read.
Thanks to Zou Dikai for the report.
This commit is contained in:
@@ -4195,6 +4195,9 @@ static int ProcessClientHello(const byte* input, int* sslBytes,
|
||||
{
|
||||
word16 listLen = 0, offset = 0;
|
||||
|
||||
if (extLen < OPAQUE16_LEN)
|
||||
return BUFFER_ERROR;
|
||||
|
||||
ato16(input + offset, &listLen);
|
||||
offset += OPAQUE16_LEN;
|
||||
|
||||
@@ -4228,6 +4231,9 @@ static int ProcessClientHello(const byte* input, int* sslBytes,
|
||||
#ifdef WOLFSSL_TLS13
|
||||
case EXT_KEY_SHARE:
|
||||
{
|
||||
if (extLen < OPAQUE16_LEN)
|
||||
return BUFFER_ERROR;
|
||||
|
||||
word16 ksLen = (word16)((input[0] << 8) | input[1]);
|
||||
if (ksLen + OPAQUE16_LEN > extLen) {
|
||||
SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
|
||||
@@ -4252,6 +4258,9 @@ static int ProcessClientHello(const byte* input, int* sslBytes,
|
||||
word32 ticketAge;
|
||||
const byte *identity, *binders;
|
||||
|
||||
if (extLen < OPAQUE16_LEN)
|
||||
return BUFFER_ERROR;
|
||||
|
||||
idsLen = (word16)((input[idx] << 8) | input[idx+1]);
|
||||
if ((word32)idsLen + OPAQUE16_LEN + idx > (word32)extLen) {
|
||||
SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
|
||||
|
||||
Reference in New Issue
Block a user