@@ -720,9 +720,14 @@ static Dtls13RecordNumber* Dtls13NewRecordNumber(w64wrapper epoch,
720720 return rn ;
721721}
722722
723+ #ifndef DTLS13_MAX_ACK_RECORDS
724+ #define DTLS13_MAX_ACK_RECORDS 512
725+ #endif
726+
723727int Dtls13RtxAddAck (WOLFSSL * ssl , w64wrapper epoch , w64wrapper seq )
724728{
725729 Dtls13RecordNumber * rn ;
730+ int count ;
726731
727732 WOLFSSL_ENTER ("Dtls13RtxAddAck" );
728733
@@ -741,7 +746,9 @@ int Dtls13RtxAddAck(WOLFSSL* ssl, w64wrapper epoch, w64wrapper seq)
741746 return 0 ; /* list full, silently drop */
742747 }
743748
749+ count = 0 ;
744750 for (; cur != NULL ; prevNext = & cur -> next , cur = cur -> next ) {
751+ count ++ ;
745752 if (w64Equal (cur -> epoch , epoch ) && w64Equal (cur -> seq , seq )) {
746753 /* already in list. no duplicates. */
747754 #ifdef WOLFSSL_RW_THREADED
@@ -756,6 +763,16 @@ int Dtls13RtxAddAck(WOLFSSL* ssl, w64wrapper epoch, w64wrapper seq)
756763 }
757764 }
758765
766+ /* Cap the ACK list to prevent word16 overflow in
767+ * Dtls13GetAckListLength and bound memory consumption */
768+ if (count >= DTLS13_MAX_ACK_RECORDS ) {
769+ WOLFSSL_MSG ("DTLS 1.3 ACK list full, dropping record" );
770+ #ifdef WOLFSSL_RW_THREADED
771+ wc_UnLockMutex (& ssl -> dtls13Rtx .mutex );
772+ #endif
773+ return 0 ;
774+ }
775+
759776 rn = Dtls13NewRecordNumber (epoch , seq , ssl -> heap );
760777 if (rn == NULL ) {
761778 #ifdef WOLFSSL_RW_THREADED
0 commit comments