ssl: adds safety checks

Ensure the client version is valid by checking hello flags

Ensure no integer underflow occurs in SSLv3ParseHandshakeType

diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
index 2cd1f861d475e17645c2e6e78742783bbbd25052..f2e6b39a172e27714330cc5dd5437970cacd8efa 100644 (file)
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -1631,6 +1631,10 @@ static int SSLv3ParseHandshakeType(SSLState *ssl_state, const uint8_t *input,
             ssl_state->curr_connp->bytes_processed + input_len) {
         SCLogDebug("msg done");
 
+        // Safety check against integer underflow
+        DEBUG_VALIDATE_BUG_ON(
+                ssl_state->curr_connp->message_start + ssl_state->curr_connp->message_length <
+                ssl_state->curr_connp->bytes_processed);
         write_len = (ssl_state->curr_connp->message_start + ssl_state->curr_connp->message_length) -
             ssl_state->curr_connp->bytes_processed;
         DEBUG_VALIDATE_BUG_ON(write_len > input_len);
@@ -2373,8 +2377,10 @@ static int SSLv3Decode(uint8_t direction, SSLState *ssl_state,
             if (ssl_state->flags & SSL_AL_FLAG_CHANGE_CIPHER_SPEC) {
                 /* In TLSv1.3, ChangeCipherSpec is only used for middlebox
                    compability (rfc8446, appendix D.4). */
-                if ((ssl_state->client_connp.version > TLS_VERSION_12) &&
-                       ((ssl_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) == 0)) {
+                // Client hello flags is needed to have a valid version
+                if ((ssl_state->flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) &&
+                        (ssl_state->client_connp.version > TLS_VERSION_12) &&
+                        ((ssl_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) == 0)) {
                     /* do nothing */
                 } else {
                     break;