Merge pull request #10788 from aidangarske/fenrir-tls-batch-2026-06

Various hardening fixes across sniffer, QUIC, PKCS#11, TLS and tooling
This commit is contained in:
David Garske
2026-07-08 13:58:14 -07:00
committed by GitHub
11 changed files with 138 additions and 27 deletions
+5 -2
View File
@@ -75,12 +75,12 @@ static QuicRecord *quic_record_make(WOLFSSL *ssl,
XMEMSET(qr, 0, sizeof(*qr));
qr->level = level;
if (level == wolfssl_encryption_early_data) {
qr->capacity = qr->len = (word32)len;
if (qr->capacity > WOLFSSL_QUIC_MAX_RECORD_CAPACITY) {
if (len > (size_t)WOLFSSL_QUIC_MAX_RECORD_CAPACITY) {
WOLFSSL_MSG("QUIC early data length larger than expected");
quic_record_free(ssl, qr);
return NULL;
}
qr->capacity = qr->len = (word32)len;
}
else {
qr->capacity = qr->len = (word32) qr_length(data, len);
@@ -147,6 +147,9 @@ static int quic_record_append(WOLFSSL *ssl, QuicRecord *qr, const uint8_t *data,
uint8_t *ndata = (uint8_t*)XREALLOC(qr->data, qr->len, ssl->heap,
DYNAMIC_TYPE_TMP_BUFFER);
if (!ndata) {
/* keep len consistent with the unchanged buffer so a later
* append does not copy into the smaller allocation */
qr->len = 0;
ret = WOLFSSL_FAILURE;
goto cleanup;
}
+37 -1
View File
@@ -2138,7 +2138,13 @@ static int CheckIp6Hdr(Ip6Hdr* iphdr, IpInfo* info, int length, char* error)
if (iphdr->next_header != TCP_PROTOCOL) {
Ip6ExtHdr* exthdr = (Ip6ExtHdr*)((byte*)iphdr + IP6_HDR_SZ);
do {
int hdrsz = (exthdr->length + 1) * 8;
int hdrsz;
/* make sure the extension header is fully present before reading */
if (length - exthdrsz < (int)sizeof(Ip6ExtHdr)) {
SetError(PACKET_HDR_SHORT_STR, error, NULL, 0);
return WOLFSSL_FATAL_ERROR;
}
hdrsz = (exthdr->length + 1) * 8;
if (hdrsz > length - exthdrsz) {
SetError(PACKET_HDR_SHORT_STR, error, NULL, 0);
return WOLFSSL_FATAL_ERROR;
@@ -3733,6 +3739,10 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
return WOLFSSL_FATAL_ERROR;
}
if (b) {
if (ID_LEN > *sslBytes) {
SetError(SERVER_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
return WOLFSSL_FATAL_ERROR;
}
#ifdef WOLFSSL_TLS13
XMEMCPY(session->sslServer->session->sessionID, input, ID_LEN);
session->sslServer->session->sessionIDSz = ID_LEN;
@@ -3804,6 +3814,13 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
word16 extType;
word16 extLen;
/* make sure can read extension type and length */
if (*sslBytes < EXT_TYPE_SZ + LENGTH_SZ) {
SetError(SERVER_HELLO_INPUT_STR, error, session,
FATAL_ERROR_STATE);
return WOLFSSL_FATAL_ERROR;
}
extType = (word16)((input[0] << 8) | input[1]);
input += EXT_TYPE_SZ;
*sslBytes -= EXT_TYPE_SZ;
@@ -3895,6 +3912,13 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
break;
} /* switch (extType) */
/* make sure the extension fits in the remaining declared length */
if ((word32)extLen + EXT_TYPE_SZ + LENGTH_SZ > len) {
SetError(SERVER_HELLO_INPUT_STR, error, session,
FATAL_ERROR_STATE);
return WOLFSSL_FATAL_ERROR;
}
input += extLen;
*sslBytes -= extLen;
len -= extLen + EXT_TYPE_SZ + LENGTH_SZ;
@@ -4175,6 +4199,12 @@ static int ProcessClientHello(const byte* input, int* sslBytes,
word16 extType;
word16 extLen;
/* make sure can read extension type and length */
if (*sslBytes < EXT_TYPE_SZ + LENGTH_SZ) {
SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
return WOLFSSL_FATAL_ERROR;
}
extType = (word16)((input[0] << 8) | input[1]);
input += EXT_TYPE_SZ;
*sslBytes -= EXT_TYPE_SZ;
@@ -4362,6 +4392,12 @@ static int ProcessClientHello(const byte* input, int* sslBytes,
break;
}
/* make sure the extension fits in the remaining declared length */
if ((word32)extLen + EXT_TYPE_SZ + LENGTH_SZ > len) {
SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
return WOLFSSL_FATAL_ERROR;
}
input += extLen;
*sslBytes -= extLen;
len -= extLen + EXT_TYPE_SZ + LENGTH_SZ;
+3 -3
View File
@@ -6225,16 +6225,16 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
* a chain */
if ((flags & WOLFSSL_BIO_FLAG_READ) && (ssl->biord != NULL)) {
if ((flags & WOLFSSL_BIO_FLAG_WRITE) && (ssl->biord != ssl->biowr)) {
if (ssl->biowr != NULL && ssl->biowr->prev != NULL)
if (ssl->biowr != NULL && ssl->biowr->prev == NULL)
wolfSSL_BIO_free(ssl->biowr);
ssl->biowr = NULL;
}
if (ssl->biord->prev != NULL)
if (ssl->biord->prev == NULL)
wolfSSL_BIO_free(ssl->biord);
ssl->biord = NULL;
}
else if ((flags & WOLFSSL_BIO_FLAG_WRITE) && (ssl->biowr != NULL)) {
if (ssl->biowr->prev != NULL)
if (ssl->biowr->prev == NULL)
wolfSSL_BIO_free(ssl->biowr);
ssl->biowr = NULL;
}