app-layer-tls-handshake: fix heap-buffer overflow

Fix heap-buffer overflow that occurs when we are given repeatedly
certificates with the length of zero.

diff --git a/src/app-layer-tls-handshake.c b/src/app-layer-tls-handshake.c
index 530a7c1fb04d2c3293f45179b4bd4ed3c626920e..61e3790e497fc27427541fb09d558d47f5408a73 100644 (file)
--- a/src/app-layer-tls-handshake.c
+++ b/src/app-layer-tls-handshake.c
@@ -110,10 +110,23 @@ int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uin
 
     i = 0;
     while (certificates_length > 0) {
+        if ((uint32_t)(input + 3 - start_data) > (uint32_t)input_len) {
+            AppLayerDecoderEventsSetEvent(ssl_state->f,
+                    TLS_DECODER_EVENT_INVALID_CERTIFICATE);
+            return -1;
+        }
+
         cur_cert_length = input[0]<<16 | input[1]<<8 | input[2];
         input += 3;
         parsed += 3;
 
+        /* current certificate length should be greater than zero */
+        if (cur_cert_length == 0) {
+            AppLayerDecoderEventsSetEvent(ssl_state->f,
+                    TLS_DECODER_EVENT_INVALID_CERTIFICATE);
+            return -1;
+        }
+
         if (input - start_data + cur_cert_length > input_len) {
             AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_CERTIFICATE);
             return -1;