Skip to content

Commit 44f3e4a

Browse files
CID 337219 allocation using untrusted size
1 parent 635d326 commit 44f3e4a

File tree

2 files changed

+16
-1
lines changed

2 files changed

+16
-1
lines changed

src/quic.c

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -83,6 +83,11 @@ static QuicRecord *quic_record_make(WOLFSSL *ssl,
8383
}
8484
else {
8585
qr->capacity = qr->len = qr_length(data, len);
86+
if (qr->capacity > WOLFSSL_QUIC_MAX_RECORD_CAPACITY) {
87+
WOLFSSL_MSG("QUIC length read larger than expected");
88+
quic_record_free(ssl, qr);
89+
return NULL;
90+
}
8691
}
8792
if (qr->capacity == 0) {
8893
qr->capacity = 2*1024;
@@ -131,7 +136,8 @@ static int quic_record_append(WOLFSSL *ssl, QuicRecord *qr, const uint8_t *data,
131136
qr->len = qr_length(qr->data, qr->end);
132137

133138
/* sanity check on length read from wire before use */
134-
if (qr->len > (len + qr->capacity)) {
139+
if (qr->len > WOLFSSL_QUIC_MAX_RECORD_CAPACITY) {
140+
WOLFSSL_MSG("Length read for quic is larger than expected");
135141
ret = BUFFER_E;
136142
goto cleanup;
137143
}

wolfssl/quic.h

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -290,6 +290,15 @@ int wolfSSL_quic_hkdf(uint8_t* dest, size_t destlen,
290290
const uint8_t* salt, size_t saltlen,
291291
const uint8_t* info, size_t infolen);
292292

293+
/* most common QUIC packet size as of 2022 was 1,200 bytes
294+
* largest packet size listed in the RFC is 1,392 bytes
295+
* this gives plenty of breathing room for capacity of records but keeps sizes
296+
* read from the wire sane */
297+
#ifndef WOLFSSL_QUIC_MAX_RECORD_CAPACITY
298+
/* 1024*1024 -- 1 MB */
299+
#define WOLFSSL_QUIC_MAX_RECORD_CAPACITY 1048576
300+
#endif
301+
293302
#endif /* WOLFSSL_QUIC */
294303

295304
#ifdef __cplusplus

0 commit comments

Comments
 (0)