From: Oleksandr Stepanov -X (ostepano - SOFTSERVE INC at Cisco) <ostepano@cisco.com>
Date: Fri, 17 Jan 2025 18:42:12 +0000 (+0000)
Subject: Pull request #4573: ssl: added length check for cert data processing
X-Git-Tag: 3.6.2.0~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b20c2b2e06672e1caa45120991e41596b5c7ab34;p=thirdparty%2Fsnort3.git

Pull request #4573: ssl: added length check for cert data processing

Merge in SNORT/snort3 from ~OSTEPANO/snort3:ssl_mem_check to master

Squashed commit of the following:

commit 54e8a224e2c7cc8aa32eb64f6a3a6e59e8a779ea
Author: Oleksandr Stepanov <ostepano@cisco.com>
Date:   Wed Jan 15 07:05:04 2025 -0500

    ssl: added length check for cert data processing
---

diff --git a/src/protocols/ssl.cc b/src/protocols/ssl.cc
index c29ecc7a5..aceaee60d 100644
--- a/src/protocols/ssl.cc
+++ b/src/protocols/ssl.cc
@@ -201,6 +201,10 @@ static uint32_t SSL_decode_handshake_v3(const uint8_t* pkt, int size,
             {
                 certs_rec = (const ServiceSSLV3CertsRecord*)handshake;
                 server_cert_data->certs_len = ntoh3(certs_rec->certs_len);
+                if ( server_cert_data->certs_len > (size - sizeof(certs_rec->certs_len)) )
+                {
+                    return retval | SSL_TRUNCATED_FLAG;
+                }
                 server_cert_data->certs_data = (uint8_t*)snort_alloc(server_cert_data->certs_len);
                 memcpy(server_cert_data->certs_data, pkt + sizeof(certs_rec->certs_len), server_cert_data->certs_len);