|
@@ -83,6 +83,11 @@ static QuicRecord *quic_record_make(WOLFSSL *ssl,
|
|
|
}
|
|
|
else {
|
|
|
qr->capacity = qr->len = qr_length(data, len);
|
|
|
+ if (qr->capacity > WOLFSSL_QUIC_MAX_RECORD_CAPACITY) {
|
|
|
+ WOLFSSL_MSG("QUIC length read larger than expected");
|
|
|
+ quic_record_free(ssl, qr);
|
|
|
+ return NULL;
|
|
|
+ }
|
|
|
}
|
|
|
if (qr->capacity == 0) {
|
|
|
qr->capacity = 2*1024;
|
|
@@ -131,7 +136,8 @@ static int quic_record_append(WOLFSSL *ssl, QuicRecord *qr, const uint8_t *data,
|
|
|
qr->len = qr_length(qr->data, qr->end);
|
|
|
|
|
|
/* sanity check on length read from wire before use */
|
|
|
- if (qr->len > (len + qr->capacity)) {
|
|
|
+ if (qr->len > WOLFSSL_QUIC_MAX_RECORD_CAPACITY) {
|
|
|
+ WOLFSSL_MSG("Length read for quic is larger than expected");
|
|
|
ret = BUFFER_E;
|
|
|
goto cleanup;
|
|
|
}
|