From fdb9c54455ed4d1c456dd42cbfca44638b8ab6c7 Mon Sep 17 00:00:00 2001
From: "C. McEnroe" <june@causal.agency>
Date: Thu, 12 Nov 2020 14:03:47 -0500
Subject: Check bounds of ClientHello extensions length

---
 dispatch.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'dispatch.c')

diff --git a/dispatch.c b/dispatch.c
index c0964e4..624dd40 100644
--- a/dispatch.c
+++ b/dispatch.c
@@ -121,7 +121,9 @@ static char *serverName(void) {
 	skip(uint8());
 	skip(uint16());
 	skip(uint8());
-	peek.len = uint16();
+	uint16_t len = uint16();
+	if (len > peek.len) return NULL;
+	peek.len = len;
 	while (peek.len) {
 		// Extension
 		uint16_t type = uint16();
-- 
cgit 1.4.1