Merge pull request #7638 from gasbytes/patch

douzzer · web-flow · commit 385a0976464d · 2024-06-13T14:27:40.000-04:00
added check if the buf is at least RECORD_HEADER_SZ
diff --git a/src/quic.c b/src/quic.c
@@ -188,7 +188,7 @@ static word32 add_rec_header(byte* output, word32 length, byte type)
     return RECORD_HEADER_SZ;
 }
 
-static word32 quic_record_transfer(QuicRecord* qr, byte* buf, word32 sz)
+static sword32 quic_record_transfer(QuicRecord* qr, byte* buf, word32 sz)
 {
     word32 len = qr->end - qr->start;
     word32 offset = 0;
@@ -197,6 +197,12 @@ static word32 quic_record_transfer(QuicRecord* qr, byte* buf, word32 sz)
     if (len <= 0) {
         return 0;
     }
+
+    /* We check if the buf is at least RECORD_HEADER_SZ */
+    if (sz < RECORD_HEADER_SZ) {
+        return -1;
+    }
+
     if (qr->rec_hdr_remain == 0) {
         /* start a new TLS record */
         rlen = (qr->len <= (word32)MAX_RECORD_SIZE) ?
@@ -218,7 +224,7 @@ static word32 quic_record_transfer(QuicRecord* qr, byte* buf, word32 sz)
         qr->start += len;
         qr->rec_hdr_remain -= len;
     }
-    return len + offset;
+    return (sword32)(len + offset);
 }
 
 
@@ -766,14 +772,19 @@ int wolfSSL_provide_quic_data(WOLFSSL* ssl, WOLFSSL_ENCRYPTION_LEVEL level,
 /* Called internally when SSL wants a certain amount of input. */
 int wolfSSL_quic_receive(WOLFSSL* ssl, byte* buf, word32 sz)
 {
-    word32 n = 0;
+    sword32 n = 0;
     int transferred = 0;
 
     WOLFSSL_ENTER("wolfSSL_quic_receive");
     while (sz > 0) {
         n = 0;
         if (ssl->quic.input_head) {
             n = quic_record_transfer(ssl->quic.input_head, buf, sz);
+
+            /* record too small to be fit into a RecordLayerHeader struct. */
+            if (n == -1) {
+                return -1;
+            }
             if (quic_record_done(ssl->quic.input_head)) {
                 QuicRecord* qr = ssl->quic.input_head;
                 ssl->quic.input_head = qr->next;
@@ -791,7 +802,7 @@ int wolfSSL_quic_receive(WOLFSSL* ssl, byte* buf, word32 sz)
             ssl->error = transferred = WANT_READ;
             goto cleanup;
         }
-        sz -= n;
+        sz -= (word32)n;
         buf += n;
         transferred += (int)n;
     }
