ssl: fix bounds checking in version decoding

author Victor Julien <victor@inliniac.net>

Fri, 6 Sep 2019 13:07:56 +0000 (15:07 +0200)

committer Victor Julien <victor@inliniac.net>

Mon, 23 Sep 2019 13:42:13 +0000 (15:42 +0200)
author Victor Julien <victor@inliniac.net>
Fri, 6 Sep 2019 13:07:56 +0000 (15:07 +0200)
committer Victor Julien <victor@inliniac.net>
Mon, 23 Sep 2019 13:42:13 +0000 (15:42 +0200)
diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c

index 00b67333c79b8ed71451775a157eae4c09587075..75ee8f31a4270760b43bc4acf2d921020e119edc 100644 (file)
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -955,6 +955,9 @@ static inline int TLSDecodeHSHelloExtensionSupportedVersions(SSLState *ssl_state
          uint8_t supported_ver_len = *input;
          input += 1;
  
+        if (supported_ver_len < 2)
+            goto invalid_length;
+
          if (!(HAS_SPACE(supported_ver_len)))
              goto invalid_length;
  
@@ -1017,6 +1020,9 @@ static inline int TLSDecodeHSHelloExtensionEllipticCurves(SSLState *ssl_state,
          /* coverity[tainted_data] */
          while (ec_processed_len < elliptic_curves_len)
          {
+            if (!(HAS_SPACE(2)))
+                goto invalid_length;
+
              uint16_t elliptic_curve = *input << 8 | *(input + 1);
              input += 2;
author	Victor Julien <victor@inliniac.net>
	Fri, 6 Sep 2019 13:07:56 +0000 (15:07 +0200)
committer	Victor Julien <victor@inliniac.net>
	Mon, 23 Sep 2019 13:42:13 +0000 (15:42 +0200)