Pull request #5084: appid: prevent oob read in sslv2 server-hello detection

Merge in SNORT/snort3 from ~BHRYNIV/snort3:ssl_sslv2_shello_oob to master

Squashed commit of the following:

commit 66cc7980ef8a6ded57e4d02679525c146e3a5dd5
Author: Bohdan Hryniv <bhryniv@cisco>
Date:   Wed Jan 7 07:05:04 2026 -0500

    appid: prevent oob read in sslv2 server-hello detection

diff --git a/src/protocols/ssl.cc b/src/protocols/ssl.cc
index 4ef9a356c7fc553959c7f558912c45ec1eeb0ad2..7ae0b165a7286d8056292888fac07a58f6e4fb55 100644 (file)
--- a/src/protocols/ssl.cc
+++ b/src/protocols/ssl.cc
@@ -575,7 +575,7 @@ uint32_t SSL_decode(
         }
         /* Check if it's possibly a SSLv2 server-hello, in which case the version
          * is at byte 7 */
-        else if (size >= 8 && pkt[7] == 2)
+        else if (size >= 9 && pkt[7] == 2)
         {
             /* A version of '2' at byte 7 overlaps with TLS record-data length.
              * Check if a hypothetical TLS record-data length agrees with its

diff --git a/src/protocols/test/ssl_protocol_test.cc b/src/protocols/test/ssl_protocol_test.cc
index 5892903271d1ce18463665e833c0e85f46f13792..d7f5910fb709490485f692a2f643567dcf8ee7c1 100644 (file)
--- a/src/protocols/test/ssl_protocol_test.cc
+++ b/src/protocols/test/ssl_protocol_test.cc
@@ -263,6 +263,21 @@ TEST(ssl_protocol_tests, ssl_cert_common_name_parsing)
     CHECK(true);
 }
 
+TEST(ssl_protocol_tests, ssl_decode_v2_server_hello_size_8)
+{
+    uint8_t test_data[8] = {
+        0x16,                       // Content Type
+        0x03, 0x03,             // Version: TLS 1.2
+        0x00, 0x03,             // Length
+        0x00, 0x00, 0x02    // pkt[7]==2 triggers SSLv2 server hello check
+    };
+
+    uint32_t result = SSL_decode(test_data, sizeof(test_data), 0, 0,
+        nullptr, nullptr, 0, nullptr, nullptr, nullptr, nullptr);
+
+    CHECK(result != SSL_ARG_ERROR_FLAG);
+}
+
 int main(int argc, char** argv)
 {
     return CommandLineTestRunner::RunAllTests(argc, argv);