mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-07 09:40:48 +02:00
af329b38a8
Add missing bounds validation in wolfSSL_select_next_proto. Three issues fixed: 1. Outer loop: no check that length byte + position stays within inLen, allowing XMEMCMP to read past the server protocol list buffer. 2. Inner loop: same missing check for clientNames/clientLen boundary. 3. No-overlap fallback unconditionally dereferences clientNames[0] even when clientLen is 0, and returns an outLen that may exceed the buffer. Also reject zero-length protocol entries (invalid per RFC 7301) to prevent infinite loops. Add unit test test_wolfSSL_select_next_proto with 8 cases covering NULL params, normal match, no overlap, malformed length overruns, zero-length entries, and empty client lists.
Before creating any new configure files (.conf) read the CONF_FILES_README.md