]> git.ipfire.org Git - thirdparty/snort3.git/commitdiff
Pull request #4573: ssl: added length check for cert data processing
authorOleksandr Stepanov -X (ostepano - SOFTSERVE INC at Cisco) <ostepano@cisco.com>
Fri, 17 Jan 2025 18:42:12 +0000 (18:42 +0000)
committerChris Sherwin (chsherwi) <chsherwi@cisco.com>
Fri, 17 Jan 2025 18:42:12 +0000 (18:42 +0000)
Merge in SNORT/snort3 from ~OSTEPANO/snort3:ssl_mem_check to master

Squashed commit of the following:

commit 54e8a224e2c7cc8aa32eb64f6a3a6e59e8a779ea
Author: Oleksandr Stepanov <ostepano@cisco.com>
Date:   Wed Jan 15 07:05:04 2025 -0500

    ssl: added length check for cert data processing

src/protocols/ssl.cc

index c29ecc7a573ac0a123ad17ca15cca630c4eda68c..aceaee60d868fb614a44420180daca06f1111fa8 100644 (file)
@@ -201,6 +201,10 @@ static uint32_t SSL_decode_handshake_v3(const uint8_t* pkt, int size,
             {
                 certs_rec = (const ServiceSSLV3CertsRecord*)handshake;
                 server_cert_data->certs_len = ntoh3(certs_rec->certs_len);
+                if ( server_cert_data->certs_len > (size - sizeof(certs_rec->certs_len)) )
+                {
+                    return retval | SSL_TRUNCATED_FLAG;
+                }
                 server_cert_data->certs_data = (uint8_t*)snort_alloc(server_cert_data->certs_len);
                 memcpy(server_cert_data->certs_data, pkt + sizeof(certs_rec->certs_len), server_cert_data->certs_len);