diff --git a/src/internal.c b/src/internal.c index 30579538e5..9b8736cac1 100644 --- a/src/internal.c +++ b/src/internal.c @@ -11294,6 +11294,7 @@ static WC_INLINE int GrowAnOutputBuffer(WOLFSSL* ssl, #else const byte align = WOLFSSL_GENERAL_ALIGNMENT; #endif + word32 newSz = 0; #if WOLFSSL_GENERAL_ALIGNMENT > 0 /* the encrypted data will be offset from the front of the buffer by @@ -11304,8 +11305,13 @@ static WC_INLINE int GrowAnOutputBuffer(WOLFSSL* ssl, align *= 2; #endif - tmp = (byte*)XMALLOC(size + outputBuffer->length + align, - ssl->heap, DYNAMIC_TYPE_OUT_BUFFER); + if (!WC_SAFE_SUM_WORD32(outputBuffer->length, (word32)size, newSz)) + return BUFFER_E; +#if WOLFSSL_GENERAL_ALIGNMENT > 0 + if (!WC_SAFE_SUM_WORD32(newSz, align, newSz)) + return BUFFER_E; +#endif + tmp = (byte*)XMALLOC(newSz, ssl->heap, DYNAMIC_TYPE_OUT_BUFFER); WOLFSSL_MSG("growing output buffer"); if (tmp == NULL) @@ -11318,7 +11324,7 @@ static WC_INLINE int GrowAnOutputBuffer(WOLFSSL* ssl, #ifdef WOLFSSL_STATIC_MEMORY /* can be from IO memory pool which does not need copy if same buffer */ if (outputBuffer->length && tmp == outputBuffer->buffer) { - outputBuffer->bufferSize = size + outputBuffer->length; + outputBuffer->bufferSize = newSz - align; return 0; } #endif @@ -11339,7 +11345,7 @@ static WC_INLINE int GrowAnOutputBuffer(WOLFSSL* ssl, outputBuffer->buffer = tmp; outputBuffer->dynamicFlag = 1; - outputBuffer->bufferSize = size + outputBuffer->length; + outputBuffer->bufferSize = newSz - align; return 0; } #endif diff --git a/src/sniffer.c b/src/sniffer.c index 0f3e18f1bc..67fba4c3cb 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -2146,8 +2146,13 @@ static int CheckIp6Hdr(Ip6Hdr* iphdr, IpInfo* info, int length, char* error) exthdrsz += hdrsz; exthdr = (Ip6ExtHdr*)((byte*)exthdr + hdrsz); } - while (exthdr->next_header != TCP_PROTOCOL && + while (exthdrsz < length && + exthdr->next_header != TCP_PROTOCOL && exthdr->next_header != NO_NEXT_HEADER); + if (exthdrsz >= length) { + SetError(PACKET_HDR_SHORT_STR, error, NULL, 0); + return WOLFSSL_FATAL_ERROR; + } } #ifndef WOLFSSL_SNIFFER_WATCH @@ -4571,6 +4576,10 @@ static int DoHandShake(const byte* input, int* sslBytes, #ifdef HAVE_MAX_FRAGMENT if (session->tlsFragBuf) { + if (session->tlsFragOffset + rhSize > session->tlsFragSize) { + SetError(HANDSHAKE_INPUT_STR, error, session, FATAL_ERROR_STATE); + return WOLFSSL_FATAL_ERROR; + } XMEMCPY(session->tlsFragBuf + session->tlsFragOffset, input, rhSize); session->tlsFragOffset += rhSize; *sslBytes -= rhSize; @@ -4625,6 +4634,10 @@ static int DoHandShake(const byte* input, int* sslBytes, *sslBytes += HANDSHAKE_HEADER_SZ; } + if (session->tlsFragOffset + rhSize > session->tlsFragSize) { + SetError(HANDSHAKE_INPUT_STR, error, session, FATAL_ERROR_STATE); + return WOLFSSL_FATAL_ERROR; + } XMEMCPY(session->tlsFragBuf + session->tlsFragOffset, input, rhSize); session->tlsFragOffset += rhSize; *sslBytes -= rhSize; @@ -5622,7 +5635,7 @@ static int AddToReassembly(byte from, word32 seq, const byte* sslFrame, if (end >= curr->begin) end = curr->begin - 1; - if (MaxRecoveryMemory -1 && + if (MaxRecoveryMemory != -1 && (int)(*reassemblyMemory + sslBytes) > MaxRecoveryMemory) { SetError(REASSEMBLY_MAX_STR, error, session, FATAL_ERROR_STATE); return WOLFSSL_FATAL_ERROR; diff --git a/src/ssl_ech.c b/src/ssl_ech.c index d27522c862..81419d8c10 100644 --- a/src/ssl_ech.c +++ b/src/ssl_ech.c @@ -580,6 +580,10 @@ int SetEchConfigsEx(WOLFSSL_EchConfig** outputConfigs, void* heap, ato16(echConfig, &hpkePubkeyLen); echConfig += 2; /* hpke public_key */ + if (hpkePubkeyLen > HPKE_Npk_MAX) { + ret = BUFFER_E; + break; + } XMEMCPY(workingConfig->receiverPubkey, echConfig, hpkePubkeyLen); echConfig += hpkePubkeyLen; /* cipherSuitesLen */