ssl: fix bounds checking in version decoding

Reported-by: Sirko Höer -- Code Intelligence for DCSO. Bug #3168.
OISF · Sep 23, 2019 · b32b464 · b32b464
1 parent 68b6082
commit b32b464
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
@@ -955,6 +955,9 @@ static inline int TLSDecodeHSHelloExtensionSupportedVersions(SSLState *ssl_state
         uint8_t supported_ver_len = *input;
         input += 1;
 
+        if (supported_ver_len < 2)
+            goto invalid_length;
+
         if (!(HAS_SPACE(supported_ver_len)))
             goto invalid_length;
 
@@ -1018,6 +1021,9 @@ static inline int TLSDecodeHSHelloExtensionEllipticCurves(SSLState *ssl_state,
         /* coverity[tainted_data] */
         while (ec_processed_len < elliptic_curves_len)
         {
+            if (!(HAS_SPACE(2)))
+                goto invalid_length;
+
             uint16_t elliptic_curve = *input << 8 | *(input + 1);
             input += 2;