tls: wrap SNICallback invocation in try/catch

mcollina · juanarbol · commit df8fbfb93dfc · 2026-03-20T13:24:00.000-05:00
Wrap the owner._SNICallback() invocation in loadSNI() with try/catch to route exceptions through owner.destroy() instead of letting them become uncaught exceptions. This completes the fix from CVE-2026-21637 which added try/catch protection to callALPNCallback, onPskServerCallback, and onPskClientCallback but missed loadSNI(). Without this fix, a remote unauthenticated attacker can crash any Node.js TLS server whose SNICallback may throw on unexpected input by sending a single TLS ClientHello with a crafted server_name value. Fixes: https://hackerone.com/reports/3556769 Refs: https://hackerone.com/reports/3473882 CVE-ID: CVE-2026-21637 PR-URL: nodejs-private/node-private#819 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Robert Nagy <ronagy@icloud.com>
diff --git a/lib/internal/tls/wrap.js b/lib/internal/tls/wrap.js
@@ -211,23 +211,27 @@ function loadSNI(info) {
     return requestOCSP(owner, info);
 
   let once = false;
-  owner._SNICallback(servername, (err, context) => {
-    if (once)
-      return owner.destroy(new ERR_MULTIPLE_CALLBACK());
-    once = true;
+  try {
+    owner._SNICallback(servername, (err, context) => {
+      if (once)
+        return owner.destroy(new ERR_MULTIPLE_CALLBACK());
+      once = true;
 
-    if (err)
-      return owner.destroy(err);
+      if (err)
+        return owner.destroy(err);
 
-    if (owner._handle === null)
-      return owner.destroy(new ERR_SOCKET_CLOSED());
+      if (owner._handle === null)
+        return owner.destroy(new ERR_SOCKET_CLOSED());
 
-    // TODO(indutny): eventually disallow raw `SecureContext`
-    if (context)
-      owner._handle.sni_context = context.context || context;
+      // TODO(indutny): eventually disallow raw `SecureContext`
+      if (context)
+        owner._handle.sni_context = context.context || context;
 
-    requestOCSP(owner, info);
-  });
+      requestOCSP(owner, info);
+    });
+  } catch (err) {
+    owner.destroy(err);
+  }
 }
 
 
diff --git a/test/parallel/test-tls-psk-alpn-callback-exception-handling.js b/test/parallel/test-tls-psk-alpn-callback-exception-handling.js
@@ -331,4 +331,94 @@ describe('TLS callback exception handling', () => {
 
     await promise;
   });
+
+  // Test 7: SNI callback throwing should emit tlsClientError
+  it('SNICallback throwing emits tlsClientError', async (t) => {
+    const server = tls.createServer({
+      key: fixtures.readKey('agent2-key.pem'),
+      cert: fixtures.readKey('agent2-cert.pem'),
+      SNICallback: (servername, cb) => {
+        throw new Error('Intentional SNI callback error');
+      },
+    });
+
+    t.after(() => server.close());
+
+    const { promise, resolve, reject } = createTestPromise();
+
+    server.on('tlsClientError', common.mustCall((err, socket) => {
+      try {
+        assert.ok(err instanceof Error);
+        assert.strictEqual(err.message, 'Intentional SNI callback error');
+        socket.destroy();
+        resolve();
+      } catch (e) {
+        reject(e);
+      }
+    }));
+
+    server.on('secureConnection', () => {
+      reject(new Error('secureConnection should not fire'));
+    });
+
+    await new Promise((res) => server.listen(0, res));
+
+    const client = tls.connect({
+      port: server.address().port,
+      host: '127.0.0.1',
+      servername: 'evil.attacker.com',
+      rejectUnauthorized: false,
+    });
+
+    client.on('error', () => {});
+
+    await promise;
+  });
+
+  // Test 8: SNI callback with validation error should emit tlsClientError
+  it('SNICallback validation error emits tlsClientError', async (t) => {
+    const server = tls.createServer({
+      key: fixtures.readKey('agent2-key.pem'),
+      cert: fixtures.readKey('agent2-cert.pem'),
+      SNICallback: (servername, cb) => {
+        // Simulate common developer pattern: throw on unknown servername
+        if (servername !== 'expected.example.com') {
+          throw new Error(`Unknown servername: ${servername}`);
+        }
+        cb(null, null);
+      },
+    });
+
+    t.after(() => server.close());
+
+    const { promise, resolve, reject } = createTestPromise();
+
+    server.on('tlsClientError', common.mustCall((err, socket) => {
+      try {
+        assert.ok(err instanceof Error);
+        assert.ok(err.message.includes('Unknown servername'));
+        socket.destroy();
+        resolve();
+      } catch (e) {
+        reject(e);
+      }
+    }));
+
+    server.on('secureConnection', () => {
+      reject(new Error('secureConnection should not fire'));
+    });
+
+    await new Promise((res) => server.listen(0, res));
+
+    const client = tls.connect({
+      port: server.address().port,
+      host: '127.0.0.1',
+      servername: 'unexpected.domain.com',
+      rejectUnauthorized: false,
+    });
+
+    client.on('error', () => {});
+
+    await promise;
+  });
 });
