Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

added check if the buf is at least RECORD_HEADER_SZ #7638

Merged
merged 2 commits into from
Jun 13, 2024
Merged

added check if the buf is at least RECORD_HEADER_SZ #7638

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
845e2f7
added check if the buf is at least RECORD_HEADER_SZ
gasbytes Jun 11, 2024
88527a3
word32 -> sword32
gasbytes Jun 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 15 additions & 4 deletions src/quic.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -188,7 +188,7 @@ static word32 add_rec_header(byte* output, word32 length, byte type)
return RECORD_HEADER_SZ;
}

static word32 quic_record_transfer(QuicRecord* qr, byte* buf, word32 sz)
static sword32 quic_record_transfer(QuicRecord* qr, byte* buf, word32 sz)
{
word32 len = qr->end - qr->start;
word32 offset = 0;
Expand All @@ -197,6 +197,12 @@ static word32 quic_record_transfer(QuicRecord* qr, byte* buf, word32 sz)
if (len <= 0) {
return 0;
}

/* We check if the buf is at least RECORD_HEADER_SZ */
if (sz < RECORD_HEADER_SZ) {
return -1;
}

if (qr->rec_hdr_remain == 0) {
/* start a new TLS record */
rlen = (qr->len <= (word32)MAX_RECORD_SIZE) ?
Expand All @@ -218,7 +224,7 @@ static word32 quic_record_transfer(QuicRecord* qr, byte* buf, word32 sz)
qr->start += len;
qr->rec_hdr_remain -= len;
}
return len + offset;
return (sword32)(len + offset);
}


Expand Down Expand Up @@ -766,14 +772,19 @@ int wolfSSL_provide_quic_data(WOLFSSL* ssl, WOLFSSL_ENCRYPTION_LEVEL level,
/* Called internally when SSL wants a certain amount of input. */
int wolfSSL_quic_receive(WOLFSSL* ssl, byte* buf, word32 sz)
{
word32 n = 0;
sword32 n = 0;
int transferred = 0;

WOLFSSL_ENTER("wolfSSL_quic_receive");
while (sz > 0) {
n = 0;
if (ssl->quic.input_head) {
n = quic_record_transfer(ssl->quic.input_head, buf, sz);

/* record too small to be fit into a RecordLayerHeader struct. */
if (n == -1) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

n is unsigned here -- but there's a bigger problem, quic_record_transfer() is returning unsigned (word32), but it's returning -1 to signify error.

so you'll need to fix quic_record_transfer() to return sword32, fix signedness clashes that arise from that, and change n in wolfSSL_quic_receive() to be an sword32 and fix clashes that arise from that.

I'm quite surprised none of the analyzers are warning us about return -1 from word32 quic_record_transfer().

return -1;
}
if (quic_record_done(ssl->quic.input_head)) {
QuicRecord* qr = ssl->quic.input_head;
ssl->quic.input_head = qr->next;
Expand All @@ -791,7 +802,7 @@ int wolfSSL_quic_receive(WOLFSSL* ssl, byte* buf, word32 sz)
ssl->error = transferred = WANT_READ;
goto cleanup;
}
sz -= n;
sz -= (word32)n;
buf += n;
transferred += (int)n;
}
Expand Down