Skip to content

quic: Fix buffer underflow#10838

Open
loganaden wants to merge 1 commit into
wolfSSL:masterfrom
cyberstormdotmu:loganaden-patch-wolfssl_quic_underflow
Open

quic: Fix buffer underflow#10838
loganaden wants to merge 1 commit into
wolfSSL:masterfrom
cyberstormdotmu:loganaden-patch-wolfssl_quic_underflow

Conversation

@loganaden

@loganaden loganaden commented Jul 2, 2026

Copy link
Copy Markdown

ZD 21915

@wolfSSL-Bot

Copy link
Copy Markdown

Can one of the admins verify this patch?

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fd8772ac3f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src/quic.c
rl = (RecordLayerHeader*)output;
ato16(rl->length, &rlen);
output += RECORD_HEADER_SZ;
if (length < RECORD_HEADER_SZ) {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Move the short-header check before reading the header

When outputBuffer.length is 1–4 at the start of a QUIC TLS record, this guard runs only after ato16(rl->length, &rlen) has already read from output. That means the short-buffer path still performs an out-of-bounds read before returning FWRITE_ERROR, so the intended underflow fix doesn't protect truncated buffered records; please check length < RECORD_HEADER_SZ before casting/dereferencing rl.

Useful? React with 👍 / 👎.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to fix a potential buffer underflow in the QUIC TLS record forwarding path (wolfSSL_quic_send_internal) by adding a size check before consuming a TLS record header.

Changes:

  • Added a guard intended to prevent subtracting RECORD_HEADER_SZ from an undersized remaining buffer during QUIC send processing.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/quic.c
Comment on lines 851 to +855
/* at start of a TLS Record */
rl = (RecordLayerHeader*)output;
ato16(rl->length, &rlen);
output += RECORD_HEADER_SZ;
if (length < RECORD_HEADER_SZ) {
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants