From: Victor Julien <victor@inliniac.net>
Date: Fri, 6 Sep 2019 13:07:56 +0000 (+0200)
Subject: ssl: fix bounds checking in version decoding
X-Git-Tag: suricata-5.0.0-rc1~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=922f4f7d78055ed96833b43cb0c086fe37e2b672;p=thirdparty%2Fsuricata.git

ssl: fix bounds checking in version decoding

Reported-by: Sirko Höer -- Code Intelligence for DCSO.

Bug #3169.
---

diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
index 00b67333c7..75ee8f31a4 100644
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -955,6 +955,9 @@ static inline int TLSDecodeHSHelloExtensionSupportedVersions(SSLState *ssl_state
         uint8_t supported_ver_len = *input;
         input += 1;
 
+        if (supported_ver_len < 2)
+            goto invalid_length;
+
         if (!(HAS_SPACE(supported_ver_len)))
             goto invalid_length;
 
@@ -1017,6 +1020,9 @@ static inline int TLSDecodeHSHelloExtensionEllipticCurves(SSLState *ssl_state,
         /* coverity[tainted_data] */
         while (ec_processed_len < elliptic_curves_len)
         {
+            if (!(HAS_SPACE(2)))
+                goto invalid_length;
+
             uint16_t elliptic_curve = *input << 8 | *(input + 1);
             input += 2;