Merge pull request #7347 from JacobBarthelmeh/coverity2

dgarske · web-flow · commit 50b1044c2f8a · 2024-03-18T09:04:09.000-07:00
Coverity Fixes QUIC
diff --git a/src/quic.c b/src/quic.c
@@ -83,6 +83,11 @@ static QuicRecord *quic_record_make(WOLFSSL *ssl,
         }
         else {
             qr->capacity = qr->len = qr_length(data, len);
+            if (qr->capacity > WOLFSSL_QUIC_MAX_RECORD_CAPACITY) {
+                WOLFSSL_MSG("QUIC length read larger than expected");
+                quic_record_free(ssl, qr);
+                return NULL;
+            }
         }
         if (qr->capacity == 0) {
             qr->capacity = 2*1024;
@@ -129,6 +134,14 @@ static int quic_record_append(WOLFSSL *ssl, QuicRecord *qr, const uint8_t *data,
         consumed = missing;
 
         qr->len = qr_length(qr->data, qr->end);
+
+        /* sanity check on length read from wire before use */
+        if (qr->len > WOLFSSL_QUIC_MAX_RECORD_CAPACITY) {
+            WOLFSSL_MSG("Length read for quic is larger than expected");
+            ret = BUFFER_E;
+            goto cleanup;
+        }
+
         if (qr->len > qr->capacity) {
             uint8_t *ndata = (uint8_t*)XREALLOC(qr->data, qr->len, ssl->heap,
                                                 DYNAMIC_TYPE_TMP_BUFFER);
diff --git a/wolfssl/quic.h b/wolfssl/quic.h
@@ -290,6 +290,15 @@ int wolfSSL_quic_hkdf(uint8_t* dest, size_t destlen,
                       const uint8_t* salt, size_t saltlen,
                       const uint8_t* info, size_t infolen);
 
+/* most common QUIC packet size as of 2022 was 1,200 bytes
+ * largest packet size listed in the RFC is 1,392 bytes
+ * this gives plenty of breathing room for capacity of records but keeps sizes
+ * read from the wire sane */
+#ifndef WOLFSSL_QUIC_MAX_RECORD_CAPACITY
+    /* 1024*1024 -- 1 MB */
+    #define WOLFSSL_QUIC_MAX_RECORD_CAPACITY (1048576)
+#endif
+
 #endif /* WOLFSSL_QUIC */
 
 #ifdef __cplusplus
