From: Bohdan Hryniv -X (bhryniv - SOFTSERVE INC at Cisco) <bhryniv@cisco.com>
Date: Thu, 26 Jun 2025 17:10:17 +0000 (+0000)
Subject: Pull request #4781: ssl: fix integer underflow in certificate parsing
X-Git-Tag: 3.9.1.0~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5b74fc69488aa48feedcee72c3c8ab72af236023;p=thirdparty%2Fsnort3.git

Pull request #4781: ssl: fix integer underflow in certificate parsing

Merge in SNORT/snort3 from ~BHRYNIV/snort3:ssl_underflow_fix to master

Squashed commit of the following:

commit bc9af6fa1edf78e998f5ea9b8259b7c9c892e08b
Author: Bohdan Hryniv <bhryniv@cisco>
Date:   Fri Jun 20 08:38:08 2025 -0400

    ssl: fix integer underflow in certificate parsing
---

diff --git a/src/protocols/ssl.cc b/src/protocols/ssl.cc
index c146c8428..23f902dd9 100644
--- a/src/protocols/ssl.cc
+++ b/src/protocols/ssl.cc
@@ -201,7 +201,7 @@ static uint32_t SSL_decode_handshake_v3(const uint8_t* pkt, int size,
             {
                 certs_rec = (const ServiceSSLV3CertsRecord*)handshake;
                 server_cert_data->certs_len = ntoh3(certs_rec->certs_len);
-                if ( server_cert_data->certs_len > (size - sizeof(certs_rec->certs_len)) )
+                if (server_cert_data->certs_len + sizeof(certs_rec->certs_len) > (unsigned int)size)
                 {
                     return retval | SSL_TRUNCATED_FLAG;
                 }
@@ -695,7 +695,7 @@ ParseCHResult parse_client_hello_data(const uint8_t* pkt, uint16_t size, SSLV3Cl
         pkt += len;
         length -= len;
     }
-    
+
     return ParseCHResult::FAILED;
 }