From: Bohdan Hryniv -X (bhryniv - SOFTSERVE INC at Cisco) Date: Mon, 19 Jan 2026 13:08:11 +0000 (+0000) Subject: Pull request #5084: appid: prevent oob read in sslv2 server-hello detection X-Git-Tag: 3.10.2.0~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f02eb415c6be26ebcd6b330845f99488c6fa9b1d;p=thirdparty%2Fsnort3.git Pull request #5084: appid: prevent oob read in sslv2 server-hello detection Merge in SNORT/snort3 from ~BHRYNIV/snort3:ssl_sslv2_shello_oob to master Squashed commit of the following: commit 66cc7980ef8a6ded57e4d02679525c146e3a5dd5 Author: Bohdan Hryniv Date: Wed Jan 7 07:05:04 2026 -0500 appid: prevent oob read in sslv2 server-hello detection --- diff --git a/src/protocols/ssl.cc b/src/protocols/ssl.cc index 4ef9a356c..7ae0b165a 100644 --- a/src/protocols/ssl.cc +++ b/src/protocols/ssl.cc @@ -575,7 +575,7 @@ uint32_t SSL_decode( } /* Check if it's possibly a SSLv2 server-hello, in which case the version * is at byte 7 */ - else if (size >= 8 && pkt[7] == 2) + else if (size >= 9 && pkt[7] == 2) { /* A version of '2' at byte 7 overlaps with TLS record-data length. * Check if a hypothetical TLS record-data length agrees with its diff --git a/src/protocols/test/ssl_protocol_test.cc b/src/protocols/test/ssl_protocol_test.cc index 589290327..d7f5910fb 100644 --- a/src/protocols/test/ssl_protocol_test.cc +++ b/src/protocols/test/ssl_protocol_test.cc @@ -263,6 +263,21 @@ TEST(ssl_protocol_tests, ssl_cert_common_name_parsing) CHECK(true); } +TEST(ssl_protocol_tests, ssl_decode_v2_server_hello_size_8) +{ + uint8_t test_data[8] = { + 0x16, // Content Type + 0x03, 0x03, // Version: TLS 1.2 + 0x00, 0x03, // Length + 0x00, 0x00, 0x02 // pkt[7]==2 triggers SSLv2 server hello check + }; + + uint32_t result = SSL_decode(test_data, sizeof(test_data), 0, 0, + nullptr, nullptr, 0, nullptr, nullptr, nullptr, nullptr); + + CHECK(result != SSL_ARG_ERROR_FLAG); +} + int main(int argc, char** argv) { return CommandLineTestRunner::RunAllTests(argc, argv);