Fix DTLS 1.3 extSz out-of-bounds and word16 truncation on oversized certificate chains#10103
Open
gasbytes wants to merge 1 commit intowolfSSL:masterfrom
Open
Fix DTLS 1.3 extSz out-of-bounds and word16 truncation on oversized certificate chains#10103gasbytes wants to merge 1 commit intowolfSSL:masterfrom
gasbytes wants to merge 1 commit intowolfSSL:masterfrom
Conversation
gasbytes
assigned
julek-wolfssl,
wolfSSL-Bot and
gasbytes and unassigned
wolfSSL-Bot and
julek-wolfssl
gasbytes
force-pushed
the
fix-dtls13-oversized-cert-chain
branch
from
7cf8fea to
a30c6af
Compare
rizlik
requested changes
Mar 30, 2026
src/dtls13.c
Outdated
| ssl->dtls13FragmentsBuffer.buffer + ssl->dtls13FragOffset, | ||
| fragLength); | ||
|
|
||
| if ((word32)outputSz > WOLFSSL_MAX_16BIT) { |
Contributor
There was a problem hiding this comment.
move it just after outputSz is computed
src/dtls13.c
Outdated
|
|
||
| seq = ssl->dtls13EncryptEpoch->nextSeqNumber; | ||
|
|
||
| if ((word32)sendSz > WOLFSSL_MAX_16BIT) { |
Contributor
There was a problem hiding this comment.
move it just after sendSz is computed
gasbytes
force-pushed
the
fix-dtls13-oversized-cert-chain
branch
from
a30c6af to
fcd454f
Compare
gasbytes
force-pushed
the
fix-dtls13-oversized-cert-chain
branch
from
fcd454f to
a9ff710
Compare
rizlik
previously approved these changes
Mar 30, 2026
julek-wolfssl
previously approved these changes
Mar 31, 2026
gasbytes
force-pushed
the
fix-dtls13-oversized-cert-chain
branch
from
a9ff710 to
5ae6a9d
Compare
|
Thanks for the fix, @gasbytes. I'm the original reporter (zd#21435). Reviewed the changes:
LGTM. Thanks for the thorough fix and test. |
Contributor
Author
|
retest this please |
…ertificate chains
gasbytes
force-pushed
the
fix-dtls13-oversized-cert-chain
branch
from
5ae6a9d to
8e35a14
Compare
Contributor
|
only failing test is something in the multi-test PRB (logs lost) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fix DTLS 1.3 extSz out-of-bounds and word16 truncation on oversized certificate chains.
Fixes zd#21435
Testing
added test_dtls13_oversized_cert_chain that exercises the appropriate code pathss
Checklist