Skip to content

Ensure the length computed by CheckHeaders in the SSL sniffer does not exceed the actual size of the packets.#9947

Merged
JacobBarthelmeh merged 2 commits intowolfSSL:masterfrom
kareem-wolfssl:zd21325
Mar 13, 2026
Merged

Ensure the length computed by CheckHeaders in the SSL sniffer does not exceed the actual size of the packets.#9947
JacobBarthelmeh merged 2 commits intowolfSSL:masterfrom
kareem-wolfssl:zd21325

Conversation

@kareem-wolfssl
Copy link
Contributor

@kareem-wolfssl kareem-wolfssl commented Mar 10, 2026
edited
Loading

Description

Fixes zd#21325

Thanks to Haruto Kimura (Stella) for the report.

Testing

Provided reproducer + built in tests

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@kareem-wolfssl kareem-wolfssl requested a review from lealem47 March 10, 2026 23:04
@kareem-wolfssl kareem-wolfssl self-assigned this Mar 10, 2026
Copilot AI review requested due to automatic review settings March 10, 2026 23:04
Copilot AI reviewed Mar 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Prevents the SSL sniffer’s CheckHeaders length calculation from reporting more SSL bytes than are actually available in the captured packet, avoiding out-of-bounds parsing.

Changes:

  • Added a bounds check to ensure *sslBytes does not exceed the remaining captured packet length.
  • On mismatch, sets an error and returns WOLFSSL_FATAL_ERROR.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@philljj
Copy link
Contributor

philljj commented Mar 12, 2026

Retest this please.

@kareem-wolfssl kareem-wolfssl added the For This Release Release version 5.9.0 label Mar 12, 2026
Copilot AI review requested due to automatic review settings March 12, 2026 19:38
Copilot AI reviewed Mar 12, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@kareem-wolfssl
Copy link
Contributor Author

kareem-wolfssl commented Mar 12, 2026

Retest this please.

@JacobBarthelmeh
Copy link
Contributor

JacobBarthelmeh commented Mar 13, 2026

Retest this please Jenkins. Multi-test failed but the history of the issue is no longer available, there is a high chance it is a actual adjustment that needs to be made to this PR.

@kareem-wolfssl
Ensure the length computed by CheckHeaders in the SSL sniffer does no…
19b99f8 
…t exceed the actual size of the packets.

Thanks to Haruto Kimura (Stella) for the report.
@kareem-wolfssl
Rework check to compare only ints.
94b370f
@JacobBarthelmeh
Copy link
Contributor

JacobBarthelmeh commented Mar 13, 2026

Retest this please Jenkins. Windows test failure wolfSSL error: tcp bind failed

@JacobBarthelmeh JacobBarthelmeh merged commit a6195c3 into wolfSSL:master Mar 13, 2026
470 of 472 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@JacobBarthelmeh JacobBarthelmeh JacobBarthelmeh approved these changes

@lealem47 lealem47 Awaiting requested review from lealem47

Assignees

@JacobBarthelmeh JacobBarthelmeh

@wolfSSL-Bot wolfSSL-Bot

Labels

For This Release Release version 5.9.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@kareem-wolfssl @philljj @JacobBarthelmeh @wolfSSL-Bot