From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Thu, 31 Mar 2016 12:21:21 +0000 (+0200)
Subject: app-layer-tls-handshake: fix heap-buffer overflow
X-Git-Tag: suricata-3.0.1~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d07c495ed1a3f7d427ae0db604771ce935a1ccaf;p=thirdparty%2Fsuricata.git

app-layer-tls-handshake: fix heap-buffer overflow

Fix heap-buffer overflow that occurs when we are given repeatedly
certificates with the length of zero.
---

diff --git a/src/app-layer-tls-handshake.c b/src/app-layer-tls-handshake.c
index 530a7c1fb0..61e3790e49 100644
--- a/src/app-layer-tls-handshake.c
+++ b/src/app-layer-tls-handshake.c
@@ -110,10 +110,23 @@ int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uin
 
     i = 0;
     while (certificates_length > 0) {
+        if ((uint32_t)(input + 3 - start_data) > (uint32_t)input_len) {
+            AppLayerDecoderEventsSetEvent(ssl_state->f,
+                    TLS_DECODER_EVENT_INVALID_CERTIFICATE);
+            return -1;
+        }
+
         cur_cert_length = input[0]<<16 | input[1]<<8 | input[2];
         input += 3;
         parsed += 3;
 
+        /* current certificate length should be greater than zero */
+        if (cur_cert_length == 0) {
+            AppLayerDecoderEventsSetEvent(ssl_state->f,
+                    TLS_DECODER_EVENT_INVALID_CERTIFICATE);
+            return -1;
+        }
+
         if (input - start_data + cur_cert_length > input_len) {
             AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_CERTIFICATE);
             return -1;