@@ -515,6 +515,16 @@ int wh_Server_HandleCertRequest(whServerContext* server, uint16_t magic,
515515 wh_MessageCert_TranslateVerifyRequest (
516516 magic , (whMessageCert_VerifyRequest * )req_packet , & req );
517517
518+ /* Validate certificate data fits within request */
519+ if (req .cert_len > req_size - sizeof (req )) {
520+ resp .rc = WH_ERROR_BADARGS ;
521+ wh_MessageCert_TranslateVerifyResponse (
522+ magic , & resp ,
523+ (whMessageCert_VerifyResponse * )resp_packet );
524+ * out_resp_size = sizeof (resp );
525+ break ;
526+ }
527+
518528 /* Get pointer to certificate data */
519529 cert_data = (const uint8_t * )req_packet + sizeof (req );
520530
@@ -703,10 +713,28 @@ int wh_Server_HandleCertRequest(whServerContext* server, uint16_t magic,
703713 whMessageCert_SimpleResponse resp = {0 };
704714 const uint8_t * cert_data = NULL ;
705715
716+ /* Validate minimum request size */
717+ if (req_size < sizeof (req )) {
718+ resp .rc = WH_ERROR_ABORTED ;
719+ wh_MessageCert_TranslateSimpleResponse (
720+ magic , & resp , (whMessageCert_SimpleResponse * )resp_packet );
721+ * out_resp_size = sizeof (resp );
722+ break ;
723+ }
724+
706725 /* Convert request struct */
707726 wh_MessageCert_TranslateVerifyAcertRequest (
708727 magic , (whMessageCert_VerifyAcertRequest * )req_packet , & req );
709728
729+ /* Validate certificate data fits within request */
730+ if (req .cert_len > req_size - sizeof (req )) {
731+ resp .rc = WH_ERROR_BADARGS ;
732+ wh_MessageCert_TranslateSimpleResponse (
733+ magic , & resp , (whMessageCert_SimpleResponse * )resp_packet );
734+ * out_resp_size = sizeof (resp );
735+ break ;
736+ }
737+
710738 cert_data = (const uint8_t * )req_packet + sizeof (req );
711739
712740 /* Process the verify action */
0 commit comments