From 679d04d201011eb0359f8d2929491194b97960d7 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 6 Mar 2026 09:05:53 +0100 Subject: [PATCH 1/2] Add bounds check on read in sniffer --- src/sniffer.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/sniffer.c b/src/sniffer.c index 9c6949e4cae..ee5c2944fae 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -4260,12 +4260,20 @@ static int ProcessClientHello(const byte* input, int* sslBytes, idx += idLen; /* Obfuscated Ticket Age 32-bits */ + if (idx + OPAQUE32_LEN > extLen) { + SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE); + return WOLFSSL_FATAL_ERROR; + } ticketAge = (word32)((input[idx] << 24) | (input[idx+1] << 16) | (input[idx+2] << 8) | input[idx+3]); (void)ticketAge; /* not used */ idx += OPAQUE32_LEN; /* binders - all binders */ + if (idx + OPAQUE16_LEN > extLen) { + SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE); + return WOLFSSL_FATAL_ERROR; + } bindersLen = (word16)((input[idx] << 8) | input[idx+1]); if (bindersLen + OPAQUE16_LEN + idx > extLen) { SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE); From 694f25166379af4834ef145b254ea5b5fc6d7039 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 6 Mar 2026 18:11:33 +0100 Subject: [PATCH 2/2] Add explicit casts --- src/sniffer.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/sniffer.c b/src/sniffer.c index ee5c2944fae..1921713bb00 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -4243,7 +4243,7 @@ static int ProcessClientHello(const byte* input, int* sslBytes, const byte *identity, *binders; idsLen = (word16)((input[idx] << 8) | input[idx+1]); - if (idsLen + OPAQUE16_LEN + idx > extLen) { + if ((word32)idsLen + OPAQUE16_LEN + idx > (word32)extLen) { SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE); return WOLFSSL_FATAL_ERROR; } @@ -4251,7 +4251,7 @@ static int ProcessClientHello(const byte* input, int* sslBytes, /* PSK identity */ idLen = (word16)((input[idx] << 8) | input[idx+1]); - if (idLen + OPAQUE16_LEN + idx > extLen) { + if ((word32)idLen + OPAQUE16_LEN + idx > (word32)extLen) { SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE); return WOLFSSL_FATAL_ERROR; } @@ -4260,7 +4260,7 @@ static int ProcessClientHello(const byte* input, int* sslBytes, idx += idLen; /* Obfuscated Ticket Age 32-bits */ - if (idx + OPAQUE32_LEN > extLen) { + if ((word32)idx + OPAQUE32_LEN > (word32)extLen) { SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE); return WOLFSSL_FATAL_ERROR; } @@ -4270,12 +4270,12 @@ static int ProcessClientHello(const byte* input, int* sslBytes, idx += OPAQUE32_LEN; /* binders - all binders */ - if (idx + OPAQUE16_LEN > extLen) { + if ((word32)idx + OPAQUE16_LEN > (word32)extLen) { SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE); return WOLFSSL_FATAL_ERROR; } bindersLen = (word16)((input[idx] << 8) | input[idx+1]); - if (bindersLen + OPAQUE16_LEN + idx > extLen) { + if ((word32)bindersLen + OPAQUE16_LEN + idx > (word32)extLen) { SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE); return WOLFSSL_FATAL_ERROR; }