Skip to content

Commit 1875348

Browse files
embhornembhorn
committed
Fix issues in TLS Extension size calculations
1 parent 5a72a37 commit 1875348

1 file changed

Lines changed: 23 additions & 9 deletions

File tree

src/tls.c

Lines changed: 23 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -2138,7 +2138,7 @@ static void TLSX_SNI_FreeAll(SNI* list, void* heap)
21382138
static word16 TLSX_SNI_GetSize(SNI* list)
21392139
{
21402140
SNI* sni;
2141-
word16 length = OPAQUE16_LEN; /* list length */
2141+
word32 length = OPAQUE16_LEN; /* list length */
21422142

21432143
while ((sni = list)) {
21442144
list = sni->next;
@@ -2150,9 +2150,13 @@ static word16 TLSX_SNI_GetSize(SNI* list)
21502150
length += (word16)XSTRLEN((char*)sni->data.host_name);
21512151
break;
21522152
}
2153+
2154+
if (length > WOLFSSL_MAX_16BIT) {
2155+
return 0;
2156+
}
21532157
}
21542158

2155-
return length;
2159+
return (word16)length;
21562160
}
21572161

21582162
/** Writes the SNI objects of a list in a buffer. */
@@ -3216,7 +3220,7 @@ static void TLSX_CSR_Free(CertificateStatusRequest* csr, void* heap)
32163220
word16 TLSX_CSR_GetSize_ex(CertificateStatusRequest* csr, byte isRequest,
32173221
int idx)
32183222
{
3219-
word16 size = 0;
3223+
word32 size = 0;
32203224

32213225
/* shut up compiler warnings */
32223226
(void) csr; (void) isRequest;
@@ -3237,15 +3241,21 @@ word16 TLSX_CSR_GetSize_ex(CertificateStatusRequest* csr, byte isRequest,
32373241
if (csr->ssl != NULL && SSL_CM(csr->ssl) != NULL &&
32383242
SSL_CM(csr->ssl)->ocsp_stapling != NULL &&
32393243
SSL_CM(csr->ssl)->ocsp_stapling->statusCb != NULL) {
3240-
return OPAQUE8_LEN + OPAQUE24_LEN + csr->ssl->ocspCsrResp[idx].length;
3244+
size = OPAQUE8_LEN + OPAQUE24_LEN +
3245+
csr->ssl->ocspCsrResp[idx].length;
3246+
if (size > WOLFSSL_MAX_16BIT)
3247+
return 0;
3248+
return (word16)size;
32413249
}
3242-
return (word16)(OPAQUE8_LEN + OPAQUE24_LEN +
3243-
csr->responses[idx].length);
3250+
size = OPAQUE8_LEN + OPAQUE24_LEN + csr->responses[idx].length;
3251+
if (size > WOLFSSL_MAX_16BIT)
3252+
return 0;
3253+
return (word16)size;
32443254
}
32453255
#else
32463256
(void)idx;
32473257
#endif
3248-
return size;
3258+
return (word16)size;
32493259
}
32503260

32513261
#if (defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER))
@@ -3855,7 +3865,7 @@ static void TLSX_CSR2_FreeAll(CertificateStatusRequestItemV2* csr2, void* heap)
38553865
static word16 TLSX_CSR2_GetSize(CertificateStatusRequestItemV2* csr2,
38563866
byte isRequest)
38573867
{
3858-
word16 size = 0;
3868+
word32 size = 0;
38593869

38603870
/* shut up compiler warnings */
38613871
(void) csr2; (void) isRequest;
@@ -3876,11 +3886,15 @@ static word16 TLSX_CSR2_GetSize(CertificateStatusRequestItemV2* csr2,
38763886
size += OCSP_NONCE_EXT_SZ;
38773887
break;
38783888
}
3889+
3890+
if (size > WOLFSSL_MAX_16BIT) {
3891+
return 0;
3892+
}
38793893
}
38803894
}
38813895
#endif
38823896

3883-
return size;
3897+
return (word16)size;
38843898
}
38853899

38863900
static int TLSX_CSR2_Write(CertificateStatusRequestItemV2* csr2,

0 commit comments

Comments
 (0)