Closed bathooman closed 1 year ago
Thanks a lot for reporting!
I see, this function doesn't obey the already processed bytes by subtracting them from data_length
.
And, as you report, the size of the length field must also be obeyed, e.g. in L3510, where data + 1
is used instead of data + sizeof(uint16)
.
I will provide a fix.
It appears that this bug is fixed in #197. We can close this issue.
Thanks a lot for reporting. Currently "too many" larger PRs are pending, but I plan to consolidate the parsing in general using the new macros as in PR #198
Description
This affects the processing of the messages on the client-side.
How to trigger
Upon receipt of a Certificate Request message, if the message is maliciously crafted in a way that the value of the
Certificate Types Count
andSignature Hash Algorithms Length
are not within the boundary of theFragment Length
, three out-of-bound pointer de-reference occurs in the following three points:My suggestion:
There should always be a check that ensures that the fields that represent the size of fields are within the boundary of data_length.