Merge pull request #7099 from jpbland1/tls13-bounds-check

TLS13 padding bounds check
wolfSSL · Jan 4, 2024 · 9db2077 · 9db2077
2 parents bcfaf03 + b37716f
commit 9db2077
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/src/internal.c b/src/internal.c
@@ -21160,11 +21160,11 @@ int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr)
                 ssl->keys.decryptedCur = 1;
 #ifdef WOLFSSL_TLS13
                 if (ssl->options.tls1_3) {
-                    /* end of plaintext */
-                    word16 i = (word16)(ssl->buffers.inputBuffer.idx +
-                                 ssl->curSize - ssl->specs.aead_mac_size);
-
-                    if (i > ssl->buffers.inputBuffer.length) {
+                    word32 i = (ssl->buffers.inputBuffer.idx +
+                        ssl->curSize - ssl->specs.aead_mac_size);
+                    /* check that the end of the logical length doesn't extend
+                     * past the real buffer */
+                    if (i > ssl->buffers.inputBuffer.length || i == 0) {
                         WOLFSSL_ERROR(BUFFER_ERROR);
                         return BUFFER_ERROR;
                     }