From 5b74fc69488aa48feedcee72c3c8ab72af236023 Mon Sep 17 00:00:00 2001
From: "Bohdan Hryniv -X (bhryniv - SOFTSERVE INC at Cisco)"
 <bhryniv@cisco.com>
Date: Thu, 26 Jun 2025 17:10:17 +0000
Subject: [PATCH] Pull request #4781: ssl: fix integer underflow in certificate
 parsing

Merge in SNORT/snort3 from ~BHRYNIV/snort3:ssl_underflow_fix to master

Squashed commit of the following:

commit bc9af6fa1edf78e998f5ea9b8259b7c9c892e08b
Author: Bohdan Hryniv <bhryniv@cisco>
Date:   Fri Jun 20 08:38:08 2025 -0400

    ssl: fix integer underflow in certificate parsing
---
 src/protocols/ssl.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/protocols/ssl.cc b/src/protocols/ssl.cc
index c146c8428..23f902dd9 100644
--- a/src/protocols/ssl.cc
+++ b/src/protocols/ssl.cc
@@ -201,7 +201,7 @@ static uint32_t SSL_decode_handshake_v3(const uint8_t* pkt, int size,
             {
                 certs_rec = (const ServiceSSLV3CertsRecord*)handshake;
                 server_cert_data->certs_len = ntoh3(certs_rec->certs_len);
-                if ( server_cert_data->certs_len > (size - sizeof(certs_rec->certs_len)) )
+                if (server_cert_data->certs_len + sizeof(certs_rec->certs_len) > (unsigned int)size)
                 {
                     return retval | SSL_TRUNCATED_FLAG;
                 }
@@ -695,7 +695,7 @@ ParseCHResult parse_client_hello_data(const uint8_t* pkt, uint16_t size, SSLV3Cl
         pkt += len;
         length -= len;
     }
-    
+
     return ParseCHResult::FAILED;
 }
 
-- 
2.47.3