From f198c490176f6f49c034dddcecbbaaad82cc1a28 Mon Sep 17 00:00:00 2001 From: Achim Kraus Date: Sat, 27 Jun 2026 15:37:31 +0200 Subject: [PATCH 1/4] dtls.c: verify_ext_eliptic_curves fix length checks. Signed-off-by: Achim Kraus --- dtls.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/dtls.c b/dtls.c index fa9d0fe..791ed49 100644 --- a/dtls.c +++ b/dtls.c @@ -1105,17 +1105,18 @@ calculate_key_block(dtls_context_t *ctx, * searches for a specific key */ static int verify_ext_eliptic_curves(uint8 *data, size_t data_length) { - int i, curve_name; + uint16_t i, curve_name; + + GET_VAR_FIELD(i, data, data_length, uint16, DTLS_ALERT_HANDSHAKE_FAILURE, + "elliptic curves, length exceeds data"); /* length of curve list */ - i = dtls_uint16_to_int(data); - data += sizeof(uint16); - if (i + sizeof(uint16) != data_length) { + if (i != data_length) { dtls_warn("the list of the supported elliptic curves should be tls extension length - 2\n"); return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE); } - for (i = data_length - sizeof(uint16); i > 0; i -= sizeof(uint16)) { + for (; i > 0; i -= sizeof(uint16)) { /* check if this curve is supported */ curve_name = dtls_uint16_to_int(data); data += sizeof(uint16); From 103a991f86abc529badc6f2ab2f6118de284cdac Mon Sep 17 00:00:00 2001 From: Achim Kraus Date: Sat, 27 Jun 2026 15:46:28 +0200 Subject: [PATCH 2/4] dtls.c: verify_ext_cert_type fix length checks. Signed-off-by: Achim Kraus --- dtls.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/dtls.c b/dtls.c index 791ed49..15b1b1f 100644 --- a/dtls.c +++ b/dtls.c @@ -1130,17 +1130,18 @@ verify_ext_eliptic_curves(uint8 *data, size_t data_length) { } static int verify_ext_cert_type(uint8 *data, size_t data_length) { - int i, cert_type; + uint8_t i, cert_type; + + GET_VAR_FIELD(i, data, data_length, uint8, DTLS_ALERT_HANDSHAKE_FAILURE, + "certificate types, length exceeds data"); /* length of cert type list */ - i = dtls_uint8_to_int(data); - data += sizeof(uint8); - if (i + sizeof(uint8) != data_length) { + if (i != data_length) { dtls_warn("the list of the supported certificate types should be tls extension length - 1\n"); return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE); } - for (i = data_length - sizeof(uint8); i > 0; i -= sizeof(uint8)) { + for (; i > 0; i -= sizeof(uint8)) { /* check if this cert type is supported */ cert_type = dtls_uint8_to_int(data); data += sizeof(uint8); @@ -1265,7 +1266,7 @@ dtls_check_tls_extension(dtls_peer_t *peer, if (verify_ext_cert_type(data, j)) goto error; } else { - if (dtls_uint8_to_int(data) != TLS_CERT_TYPE_RAW_PUBLIC_KEY) + if (j < sizeof(uint8) || dtls_uint8_to_int(data) != TLS_CERT_TYPE_RAW_PUBLIC_KEY) goto error; } break; @@ -1275,7 +1276,7 @@ dtls_check_tls_extension(dtls_peer_t *peer, if (verify_ext_cert_type(data, j)) goto error; } else { - if (dtls_uint8_to_int(data) != TLS_CERT_TYPE_RAW_PUBLIC_KEY) + if (j < sizeof(uint8) || dtls_uint8_to_int(data) != TLS_CERT_TYPE_RAW_PUBLIC_KEY) goto error; } break; From b706a59bf70f920185fcee886d1c4f2a778b752f Mon Sep 17 00:00:00 2001 From: Achim Kraus Date: Sat, 27 Jun 2026 15:52:19 +0200 Subject: [PATCH 3/4] dtls.c: verify_ext_ec_point_formats fix length checks. Signed-off-by: Achim Kraus --- dtls.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/dtls.c b/dtls.c index 15b1b1f..9576fdc 100644 --- a/dtls.c +++ b/dtls.c @@ -1155,17 +1155,18 @@ static int verify_ext_cert_type(uint8 *data, size_t data_length) { } static int verify_ext_ec_point_formats(uint8 *data, size_t data_length) { - int i, cert_type; + uint8_t i, cert_type; + + GET_VAR_FIELD(i, data, data_length, uint8, DTLS_ALERT_HANDSHAKE_FAILURE, + "ec_point_formats, length exceeds data"); /* length of ec_point_formats list */ - i = dtls_uint8_to_int(data); - data += sizeof(uint8); - if (i + sizeof(uint8) != data_length) { + if (i != data_length) { dtls_warn("the list of the supported ec_point_formats should be tls extension length - 1\n"); return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE); } - for (i = data_length - sizeof(uint8); i > 0; i -= sizeof(uint8)) { + for (; i > 0; i -= sizeof(uint8)) { /* check if this ec_point_format is supported */ cert_type = dtls_uint8_to_int(data); data += sizeof(uint8); From 720d6d17ab5bfe9351476fb83acc980eb8418a8c Mon Sep 17 00:00:00 2001 From: Achim Kraus Date: Sat, 27 Jun 2026 15:56:28 +0200 Subject: [PATCH 4/4] dtls.c: verify_ext_sig_hash_algo fix length checks. Signed-off-by: Achim Kraus --- dtls.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/dtls.c b/dtls.c index 9576fdc..08339fa 100644 --- a/dtls.c +++ b/dtls.c @@ -1180,17 +1180,19 @@ static int verify_ext_ec_point_formats(uint8 *data, size_t data_length) { } static int verify_ext_sig_hash_algo(uint8 *data, size_t data_length) { - int i, hash_type, sig_type; + uint16_t i; + uint8_t hash_type, sig_type; + + GET_VAR_FIELD(i, data, data_length, uint16, DTLS_ALERT_HANDSHAKE_FAILURE, + "sig_hash_algorithms, length exceeds data"); /* length of sig_hash_algo list */ - i = dtls_uint16_to_int(data); - data += sizeof(uint16); - if (i + sizeof(uint16) != data_length) { + if (i != data_length) { dtls_warn("the list of the supported signature_algorithms should be tls extension length - 2\n"); return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE); } - for (i = data_length - sizeof(uint16); i > 0; i -= sizeof(uint16)) { + for (; i > 0; i -= sizeof(uint16)) { /* check if this _sig_hash_algo is supported */ hash_type = dtls_uint8_to_int(data); data += sizeof(uint8);