From 922f4f7d78055ed96833b43cb0c086fe37e2b672 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 6 Sep 2019 15:07:56 +0200 Subject: [PATCH] ssl: fix bounds checking in version decoding MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Reported-by: Sirko Höer -- Code Intelligence for DCSO. Bug #3169. --- src/app-layer-ssl.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c index 00b67333c7..75ee8f31a4 100644 --- a/src/app-layer-ssl.c +++ b/src/app-layer-ssl.c @@ -955,6 +955,9 @@ static inline int TLSDecodeHSHelloExtensionSupportedVersions(SSLState *ssl_state uint8_t supported_ver_len = *input; input += 1; + if (supported_ver_len < 2) + goto invalid_length; + if (!(HAS_SPACE(supported_ver_len))) goto invalid_length; @@ -1017,6 +1020,9 @@ static inline int TLSDecodeHSHelloExtensionEllipticCurves(SSLState *ssl_state, /* coverity[tainted_data] */ while (ec_processed_len < elliptic_curves_len) { + if (!(HAS_SPACE(2))) + goto invalid_length; + uint16_t elliptic_curve = *input << 8 | *(input + 1); input += 2; -- 2.47.2