CID 337219 allocation using untrusted size

Author: JacobBarthelmeh

src/quic.c

@@ -83,6 +83,11 @@ static QuicRecord *quic_record_make(WOLFSSL *ssl,
         }
         else {
             qr->capacity = qr->len = qr_length(data, len);
+            if (qr->capacity > WOLFSSL_QUIC_MAX_RECORD_CAPACITY) {
+                WOLFSSL_MSG("QUIC length read larger than expected");
+                quic_record_free(ssl, qr);
+                return NULL;
+            }
         }
         if (qr->capacity == 0) {
             qr->capacity = 2*1024;
@@ -131,7 +136,8 @@ static int quic_record_append(WOLFSSL *ssl, QuicRecord *qr, const uint8_t *data,
         qr->len = qr_length(qr->data, qr->end);
 
         /* sanity check on length read from wire before use */
-        if (qr->len > (len + qr->capacity)) {
+        if (qr->len > WOLFSSL_QUIC_MAX_RECORD_CAPACITY) {
+            WOLFSSL_MSG("Length read for quic is larger than expected");
             ret = BUFFER_E;
             goto cleanup;
         }

wolfssl/quic.h

@@ -290,6 +290,15 @@ int wolfSSL_quic_hkdf(uint8_t* dest, size_t destlen,
                       const uint8_t* salt, size_t saltlen,
                       const uint8_t* info, size_t infolen);
 
+/* most common QUIC packet size as of 2022 was 1,200 bytes
+ * largest packet size listed in the RFC is 1,392 bytes
+ * this gives plenty of breathing room for capacity of records but keeps sizes
+ * read from the wire sane */
+#ifndef WOLFSSL_QUIC_MAX_RECORD_CAPACITY
+    /* 1024*1024 -- 1 MB */
+    #define WOLFSSL_QUIC_MAX_RECORD_CAPACITY 1048576
+#endif
+
 #endif /* WOLFSSL_QUIC */
 
 #ifdef __cplusplus