From: Sreeja Athirkandathil Narayanan (sathirka) <sathirka@cisco.com>
Date: Fri, 28 Apr 2023 19:17:03 +0000 (+0000)
Subject: Pull request #3831: appid: validate data size of SSL certificate record before parsing
X-Git-Tag: 3.1.61.0~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dd3c038f12ad8616447eb1b3ca3ba105d2fadad4;p=thirdparty%2Fsnort3.git

Pull request #3831: appid: validate data size of SSL certificate record before parsing

Merge in SNORT/snort3 from ~SATHIRKA/snort3:ssl_validate_crash to master

Squashed commit of the following:

commit 73c6ffdcf155f88b01b7ac8e7070aacc7aa9319c
Author: Sreeja Athirkandathil Narayanan <sathirka@cisco.com>
Date:   Thu Apr 27 13:15:13 2023 -0400

    appid: validate data size of SSL certificate record before parsing
---

diff --git a/src/network_inspectors/appid/service_plugins/service_ssl.cc b/src/network_inspectors/appid/service_plugins/service_ssl.cc
index 5e3ed5e02..e8e058779 100644
--- a/src/network_inspectors/appid/service_plugins/service_ssl.cc
+++ b/src/network_inspectors/appid/service_plugins/service_ssl.cc
@@ -518,6 +518,9 @@ int SslServiceDetector::validate(AppIdDiscoveryArgs& args)
                     /* Start pulling out certificates. */
                     if (!ss->certs_data)
                     {
+                        if (size < sizeof(ServiceSSLV3CertsRecord))
+                            goto fail;
+
                         certs_rec = (const ServiceSSLV3CertsRecord*)data;
                         ss->certs_len = ntoh3(certs_rec->certs_len);
                         ss->certs_data = (uint8_t*)snort_alloc(ss->certs_len);