Skip to content

Commit eba55c9

Browse files
authored
Fix #1863: Heap-buffer-overflow in TLSECPointFormatExtension parsing (#2110)
1 parent 507d68d commit eba55c9

4 files changed

Lines changed: 23 additions & 1 deletion

File tree

Packet++/src/SSLHandshake.cpp

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1223,8 +1223,13 @@ namespace pcpp
12231223
std::vector<uint8_t> result;
12241224

12251225
uint16_t extensionLength = getLength();
1226+
1227+
if (extensionLength < 1)
1228+
return result;
1229+
12261230
uint8_t listLength = *getData();
1227-
if (listLength != static_cast<uint8_t>(extensionLength - 1))
1231+
1232+
if (extensionLength != static_cast<uint16_t>(listLength) + 1)
12281233
return result; // bad extension data
12291234

12301235
uint8_t* dataPtr = getData() + sizeof(uint8_t);

Tests/Packet++Test/TestDefinition.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -168,6 +168,7 @@ PTF_TEST_CASE(SSLMultipleRecordParsing5Test);
168168
PTF_TEST_CASE(SSLPartialCertificateParseTest);
169169
PTF_TEST_CASE(SSLNewSessionTicketParseTest);
170170
PTF_TEST_CASE(SSLMalformedPacketParsing);
171+
PTF_TEST_CASE(SSLECPointFormatExtensionZeroLengthTest);
171172
PTF_TEST_CASE(TLS1_3ParsingTest);
172173
PTF_TEST_CASE(TLSCipherSuiteTest);
173174
PTF_TEST_CASE(ClientHelloTLSFingerprintTest);

Tests/Packet++Test/Tests/SSLTests.cpp

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -563,6 +563,21 @@ PTF_TEST_CASE(SSLMalformedPacketParsing)
563563
PTF_ASSERT_EQUAL(clientHelloMessage->getExtensionCount(), 1);
564564
} // SSLMalformedPacketParsing
565565

566+
PTF_TEST_CASE(SSLECPointFormatExtensionZeroLengthTest)
567+
{
568+
// Malformed EC Point Formats extension data payload:
569+
// Bytes 0-1: { 0x00, 0x0b } -> Extension Type = 11 (EC Point Formats)
570+
// Bytes 2-3: { 0x00, 0x00 } -> Extension Length = 0
571+
// (This is malformed because it lacks the mandatory 1-byte list length field.
572+
// It intentionally triggers the integer underflow vulnerability.)
573+
uint8_t malformedExtData[] = { 0x00, 0x0b, 0x00, 0x00 };
574+
575+
pcpp::TLSECPointFormatExtension ecPointExt(malformedExtData, sizeof(malformedExtData));
576+
std::vector<uint8_t> ecPointFormatList = ecPointExt.getECPointFormatList();
577+
578+
PTF_ASSERT_TRUE(ecPointFormatList.empty());
579+
} // SSLECPointFormatExtensionZeroLengthTest
580+
566581
PTF_TEST_CASE(TLS1_3ParsingTest)
567582
{
568583
timeval time;

Tests/Packet++Test/main.cpp

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -253,6 +253,7 @@ int main(int argc, char* argv[])
253253
PTF_RUN_TEST(SSLPartialCertificateParseTest, "ssl");
254254
PTF_RUN_TEST(SSLNewSessionTicketParseTest, "ssl");
255255
PTF_RUN_TEST(SSLMalformedPacketParsing, "ssl");
256+
PTF_RUN_TEST(SSLECPointFormatExtensionZeroLengthTest, "ssl");
256257
PTF_RUN_TEST(TLS1_3ParsingTest, "ssl");
257258
PTF_RUN_TEST(TLSCipherSuiteTest, "ssl");
258259
PTF_RUN_TEST(ClientHelloTLSFingerprintTest, "ssl");

0 commit comments

Comments
 (0)