From: Philippe Antoine <pantoine@oisf.net>
Date: Wed, 5 Oct 2022 19:21:41 +0000 (+0200)
Subject: tls: fix buffer overread
X-Git-Tag: suricata-6.0.10~32
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=97f97dd72a3d8a6c86dafa2b15b8e528f137846c;p=thirdparty%2Fsuricata.git

tls: fix buffer overread

Recently introduced by commit 4bab6e24e5e2cef29c9a5a6bee3263e4a3d47e76

Ticket: #5564
(cherry picked from commit 3fbcba8ab7c042fd6f802cdeae02cb0c67771c7a)
---

diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
index c1b3779ebc..9f4fc659b3 100644
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -1493,7 +1493,7 @@ static int SSLv3ParseHandshakeType(SSLState *ssl_state, const uint8_t *input,
         case SSLV3_HS_SERVER_HELLO:
             ssl_state->current_flags = SSL_AL_FLAG_STATE_SERVER_HELLO;
 
-            rc = TLSDecodeHandshakeHello(ssl_state, input, ssl_state->curr_connp->message_length);
+            rc = TLSDecodeHandshakeHello(ssl_state, input, input_len);
             if (rc < 0)
                 return rc;
             break;
@@ -1591,7 +1591,7 @@ static int SSLv3ParseHandshakeProtocol(SSLState *ssl_state, const uint8_t *input
             ssl_state->curr_connp->hs_buffer_offset += add;
 
             if (ssl_state->curr_connp->hs_buffer_message_size <=
-                    ssl_state->curr_connp->hs_buffer_offset + input_len) {
+                    ssl_state->curr_connp->hs_buffer_offset) {
 
                 ssl_state->curr_connp->handshake_type =
                         ssl_state->curr_connp->hs_buffer_message_type;