mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-11 09:20:55 +02:00
Merge pull request #10788 from aidangarske/fenrir-tls-batch-2026-06
Various hardening fixes across sniffer, QUIC, PKCS#11, TLS and tooling
This commit is contained in:
+5
-2
@@ -75,12 +75,12 @@ static QuicRecord *quic_record_make(WOLFSSL *ssl,
|
||||
XMEMSET(qr, 0, sizeof(*qr));
|
||||
qr->level = level;
|
||||
if (level == wolfssl_encryption_early_data) {
|
||||
qr->capacity = qr->len = (word32)len;
|
||||
if (qr->capacity > WOLFSSL_QUIC_MAX_RECORD_CAPACITY) {
|
||||
if (len > (size_t)WOLFSSL_QUIC_MAX_RECORD_CAPACITY) {
|
||||
WOLFSSL_MSG("QUIC early data length larger than expected");
|
||||
quic_record_free(ssl, qr);
|
||||
return NULL;
|
||||
}
|
||||
qr->capacity = qr->len = (word32)len;
|
||||
}
|
||||
else {
|
||||
qr->capacity = qr->len = (word32) qr_length(data, len);
|
||||
@@ -147,6 +147,9 @@ static int quic_record_append(WOLFSSL *ssl, QuicRecord *qr, const uint8_t *data,
|
||||
uint8_t *ndata = (uint8_t*)XREALLOC(qr->data, qr->len, ssl->heap,
|
||||
DYNAMIC_TYPE_TMP_BUFFER);
|
||||
if (!ndata) {
|
||||
/* keep len consistent with the unchanged buffer so a later
|
||||
* append does not copy into the smaller allocation */
|
||||
qr->len = 0;
|
||||
ret = WOLFSSL_FAILURE;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
+37
-1
@@ -2138,7 +2138,13 @@ static int CheckIp6Hdr(Ip6Hdr* iphdr, IpInfo* info, int length, char* error)
|
||||
if (iphdr->next_header != TCP_PROTOCOL) {
|
||||
Ip6ExtHdr* exthdr = (Ip6ExtHdr*)((byte*)iphdr + IP6_HDR_SZ);
|
||||
do {
|
||||
int hdrsz = (exthdr->length + 1) * 8;
|
||||
int hdrsz;
|
||||
/* make sure the extension header is fully present before reading */
|
||||
if (length - exthdrsz < (int)sizeof(Ip6ExtHdr)) {
|
||||
SetError(PACKET_HDR_SHORT_STR, error, NULL, 0);
|
||||
return WOLFSSL_FATAL_ERROR;
|
||||
}
|
||||
hdrsz = (exthdr->length + 1) * 8;
|
||||
if (hdrsz > length - exthdrsz) {
|
||||
SetError(PACKET_HDR_SHORT_STR, error, NULL, 0);
|
||||
return WOLFSSL_FATAL_ERROR;
|
||||
@@ -3733,6 +3739,10 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
|
||||
return WOLFSSL_FATAL_ERROR;
|
||||
}
|
||||
if (b) {
|
||||
if (ID_LEN > *sslBytes) {
|
||||
SetError(SERVER_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
|
||||
return WOLFSSL_FATAL_ERROR;
|
||||
}
|
||||
#ifdef WOLFSSL_TLS13
|
||||
XMEMCPY(session->sslServer->session->sessionID, input, ID_LEN);
|
||||
session->sslServer->session->sessionIDSz = ID_LEN;
|
||||
@@ -3804,6 +3814,13 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
|
||||
word16 extType;
|
||||
word16 extLen;
|
||||
|
||||
/* make sure can read extension type and length */
|
||||
if (*sslBytes < EXT_TYPE_SZ + LENGTH_SZ) {
|
||||
SetError(SERVER_HELLO_INPUT_STR, error, session,
|
||||
FATAL_ERROR_STATE);
|
||||
return WOLFSSL_FATAL_ERROR;
|
||||
}
|
||||
|
||||
extType = (word16)((input[0] << 8) | input[1]);
|
||||
input += EXT_TYPE_SZ;
|
||||
*sslBytes -= EXT_TYPE_SZ;
|
||||
@@ -3895,6 +3912,13 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
|
||||
break;
|
||||
} /* switch (extType) */
|
||||
|
||||
/* make sure the extension fits in the remaining declared length */
|
||||
if ((word32)extLen + EXT_TYPE_SZ + LENGTH_SZ > len) {
|
||||
SetError(SERVER_HELLO_INPUT_STR, error, session,
|
||||
FATAL_ERROR_STATE);
|
||||
return WOLFSSL_FATAL_ERROR;
|
||||
}
|
||||
|
||||
input += extLen;
|
||||
*sslBytes -= extLen;
|
||||
len -= extLen + EXT_TYPE_SZ + LENGTH_SZ;
|
||||
@@ -4175,6 +4199,12 @@ static int ProcessClientHello(const byte* input, int* sslBytes,
|
||||
word16 extType;
|
||||
word16 extLen;
|
||||
|
||||
/* make sure can read extension type and length */
|
||||
if (*sslBytes < EXT_TYPE_SZ + LENGTH_SZ) {
|
||||
SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
|
||||
return WOLFSSL_FATAL_ERROR;
|
||||
}
|
||||
|
||||
extType = (word16)((input[0] << 8) | input[1]);
|
||||
input += EXT_TYPE_SZ;
|
||||
*sslBytes -= EXT_TYPE_SZ;
|
||||
@@ -4362,6 +4392,12 @@ static int ProcessClientHello(const byte* input, int* sslBytes,
|
||||
break;
|
||||
}
|
||||
|
||||
/* make sure the extension fits in the remaining declared length */
|
||||
if ((word32)extLen + EXT_TYPE_SZ + LENGTH_SZ > len) {
|
||||
SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
|
||||
return WOLFSSL_FATAL_ERROR;
|
||||
}
|
||||
|
||||
input += extLen;
|
||||
*sslBytes -= extLen;
|
||||
len -= extLen + EXT_TYPE_SZ + LENGTH_SZ;
|
||||
|
||||
@@ -6225,16 +6225,16 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
|
||||
* a chain */
|
||||
if ((flags & WOLFSSL_BIO_FLAG_READ) && (ssl->biord != NULL)) {
|
||||
if ((flags & WOLFSSL_BIO_FLAG_WRITE) && (ssl->biord != ssl->biowr)) {
|
||||
if (ssl->biowr != NULL && ssl->biowr->prev != NULL)
|
||||
if (ssl->biowr != NULL && ssl->biowr->prev == NULL)
|
||||
wolfSSL_BIO_free(ssl->biowr);
|
||||
ssl->biowr = NULL;
|
||||
}
|
||||
if (ssl->biord->prev != NULL)
|
||||
if (ssl->biord->prev == NULL)
|
||||
wolfSSL_BIO_free(ssl->biord);
|
||||
ssl->biord = NULL;
|
||||
}
|
||||
else if ((flags & WOLFSSL_BIO_FLAG_WRITE) && (ssl->biowr != NULL)) {
|
||||
if (ssl->biowr->prev != NULL)
|
||||
if (ssl->biowr->prev == NULL)
|
||||
wolfSSL_BIO_free(ssl->biowr);
|
||||
ssl->biowr = NULL;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user