ssl: fix bounds checking in version decoding

Reported-by: Sirko Höer -- Code Intelligence for DCSO. Bug #3169.
7 years ago · 922f4f7d78
parent c8b49aee56
commit 922f4f7d78
1 changed files with 6 additions and 0 deletions
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@ -955,6 +955,9 @@ static inline int TLSDecodeHSHelloExtensionSupportedVersions(SSLState *ssl_state
        uint8_t supported_ver_len = *input;
        input += 1;

+        if (supported_ver_len < 2)
+            goto invalid_length;
+
        if (!(HAS_SPACE(supported_ver_len)))
            goto invalid_length;

@ -1017,6 +1020,9 @@ static inline int TLSDecodeHSHelloExtensionEllipticCurves(SSLState *ssl_state,
        /* coverity[tainted_data] */
        while (ec_processed_len < elliptic_curves_len)
        {
+            if (!(HAS_SPACE(2)))
+                goto invalid_length;
+
            uint16_t elliptic_curve = *input << 8 | *(input + 1);
            input += 2;