From 97f97dd72a3d8a6c86dafa2b15b8e528f137846c Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Wed, 5 Oct 2022 21:21:41 +0200
Subject: [PATCH] tls: fix buffer overread

Recently introduced by commit 4bab6e24e5e2cef29c9a5a6bee3263e4a3d47e76

Ticket: #5564
(cherry picked from commit 3fbcba8ab7c042fd6f802cdeae02cb0c67771c7a)
---
 src/app-layer-ssl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
index c1b3779ebc..9f4fc659b3 100644
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -1493,7 +1493,7 @@ static int SSLv3ParseHandshakeType(SSLState *ssl_state, const uint8_t *input,
         case SSLV3_HS_SERVER_HELLO:
             ssl_state->current_flags = SSL_AL_FLAG_STATE_SERVER_HELLO;
 
-            rc = TLSDecodeHandshakeHello(ssl_state, input, ssl_state->curr_connp->message_length);
+            rc = TLSDecodeHandshakeHello(ssl_state, input, input_len);
             if (rc < 0)
                 return rc;
             break;
@@ -1591,7 +1591,7 @@ static int SSLv3ParseHandshakeProtocol(SSLState *ssl_state, const uint8_t *input
             ssl_state->curr_connp->hs_buffer_offset += add;
 
             if (ssl_state->curr_connp->hs_buffer_message_size <=
-                    ssl_state->curr_connp->hs_buffer_offset + input_len) {
+                    ssl_state->curr_connp->hs_buffer_offset) {
 
                 ssl_state->curr_connp->handshake_type =
                         ssl_state->curr_connp->hs_buffer_message_type;
-- 
2.47.2