From d6c62cca60fd30cbb8878bfce8c497acc74a308d Mon Sep 17 00:00:00 2001 From: Kareem Date: Mon, 6 Apr 2026 15:47:33 -0700 Subject: [PATCH] In SSL sniffer, ensure the ClientHello extension length is sufficient to read the length before attempting the actual read. Thanks to Zou Dikai for the report. --- src/sniffer.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/sniffer.c b/src/sniffer.c index e8664721b1..daad3d297c 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -4195,6 +4195,9 @@ static int ProcessClientHello(const byte* input, int* sslBytes, { word16 listLen = 0, offset = 0; + if (extLen < OPAQUE16_LEN) + return BUFFER_ERROR; + ato16(input + offset, &listLen); offset += OPAQUE16_LEN; @@ -4228,6 +4231,9 @@ static int ProcessClientHello(const byte* input, int* sslBytes, #ifdef WOLFSSL_TLS13 case EXT_KEY_SHARE: { + if (extLen < OPAQUE16_LEN) + return BUFFER_ERROR; + word16 ksLen = (word16)((input[0] << 8) | input[1]); if (ksLen + OPAQUE16_LEN > extLen) { SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE); @@ -4252,6 +4258,9 @@ static int ProcessClientHello(const byte* input, int* sslBytes, word32 ticketAge; const byte *identity, *binders; + if (extLen < OPAQUE16_LEN) + return BUFFER_ERROR; + idsLen = (word16)((input[idx] << 8) | input[idx+1]); if ((word32)idsLen + OPAQUE16_LEN + idx > (word32)extLen) { SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);