Pull request #4573: ssl: added length check for cert data processing

Merge in SNORT/snort3 from ~OSTEPANO/snort3:ssl_mem_check to master

Squashed commit of the following:

commit 54e8a224e2c7cc8aa32eb64f6a3a6e59e8a779ea
Author: Oleksandr Stepanov <ostepano@cisco.com>
Date:   Wed Jan 15 07:05:04 2025 -0500

    ssl: added length check for cert data processing

diff --git a/src/protocols/ssl.cc b/src/protocols/ssl.cc
index c29ecc7a573ac0a123ad17ca15cca630c4eda68c..aceaee60d868fb614a44420180daca06f1111fa8 100644 (file)
--- a/src/protocols/ssl.cc
+++ b/src/protocols/ssl.cc
@@ -201,6 +201,10 @@ static uint32_t SSL_decode_handshake_v3(const uint8_t* pkt, int size,
             {
                 certs_rec = (const ServiceSSLV3CertsRecord*)handshake;
                 server_cert_data->certs_len = ntoh3(certs_rec->certs_len);
+                if ( server_cert_data->certs_len > (size - sizeof(certs_rec->certs_len)) )
+                {
+                    return retval | SSL_TRUNCATED_FLAG;
+                }
                 server_cert_data->certs_data = (uint8_t*)snort_alloc(server_cert_data->certs_len);
                 memcpy(server_cert_data->certs_data, pkt + sizeof(certs_rec->certs_len), server_cert_data->certs_len);