Pull request #4781: ssl: fix integer underflow in certificate parsing

Merge in SNORT/snort3 from ~BHRYNIV/snort3:ssl_underflow_fix to master

Squashed commit of the following:

commit bc9af6fa1edf78e998f5ea9b8259b7c9c892e08b
Author: Bohdan Hryniv <bhryniv@cisco>
Date:   Fri Jun 20 08:38:08 2025 -0400

    ssl: fix integer underflow in certificate parsing

diff --git a/src/protocols/ssl.cc b/src/protocols/ssl.cc
index c146c8428e69dec36229494a376b520c8226e51a..23f902dd984023002fdf5500eafb01ae49cd75c0 100644 (file)
--- a/src/protocols/ssl.cc
+++ b/src/protocols/ssl.cc
@@ -201,7 +201,7 @@ static uint32_t SSL_decode_handshake_v3(const uint8_t* pkt, int size,
             {
                 certs_rec = (const ServiceSSLV3CertsRecord*)handshake;
                 server_cert_data->certs_len = ntoh3(certs_rec->certs_len);
-                if ( server_cert_data->certs_len > (size - sizeof(certs_rec->certs_len)) )
+                if (server_cert_data->certs_len + sizeof(certs_rec->certs_len) > (unsigned int)size)
                 {
                     return retval | SSL_TRUNCATED_FLAG;
                 }
@@ -695,7 +695,7 @@ ParseCHResult parse_client_hello_data(const uint8_t* pkt, uint16_t size, SSLV3Cl
         pkt += len;
         length -= len;
     }
-    
+
     return ParseCHResult::FAILED;
 }