Merge pull request #2487 from JacobBarthelmeh/Fuzzer

fix for infinite loop with CSR2
2025-08-03 04:34:41 +02:00 · 2019-09-30 10:38:26 -07:00
parent caa5ba7551 e7c2892579
commit ea68e146c7
1 changed files with 6 additions and 2 deletions
--- a/src/tls.c
+++ b/src/tls.c
@@ -3455,15 +3455,19 @@ static int TLSX_CSR2_Parse(WOLFSSL* ssl, byte* input, word16 length,
                        return BUFFER_ERROR;

                    ato16(input + offset, &size);
-                    offset += OPAQUE16_LEN + size;
+                    if (length - offset < size)
+                        return BUFFER_ERROR;

+                    offset += OPAQUE16_LEN + size;
                    /* skip request_extensions */
                    if (length - offset < OPAQUE16_LEN)
                        return BUFFER_ERROR;

                    ato16(input + offset, &size);
-                    offset += OPAQUE16_LEN + size;
+                    if (length - offset < size)
+                        return BUFFER_ERROR;

+                    offset += OPAQUE16_LEN + size;
                    if (offset > length)
                        return BUFFER_ERROR;