diff --git a/src/wh_server_cert.c b/src/wh_server_cert.c index 5cc9b77e..06d1a211 100644 --- a/src/wh_server_cert.c +++ b/src/wh_server_cert.c @@ -515,6 +515,16 @@ int wh_Server_HandleCertRequest(whServerContext* server, uint16_t magic, wh_MessageCert_TranslateVerifyRequest( magic, (whMessageCert_VerifyRequest*)req_packet, &req); + /* Validate certificate data fits within request */ + if (req.cert_len > req_size - sizeof(req)) { + resp.rc = WH_ERROR_BADARGS; + wh_MessageCert_TranslateVerifyResponse( + magic, &resp, + (whMessageCert_VerifyResponse*)resp_packet); + *out_resp_size = sizeof(resp); + break; + } + /* Get pointer to certificate data */ cert_data = (const uint8_t*)req_packet + sizeof(req); @@ -703,10 +713,28 @@ int wh_Server_HandleCertRequest(whServerContext* server, uint16_t magic, whMessageCert_SimpleResponse resp = {0}; const uint8_t* cert_data = NULL; + /* Validate minimum request size */ + if (req_size < sizeof(req)) { + resp.rc = WH_ERROR_ABORTED; + wh_MessageCert_TranslateSimpleResponse( + magic, &resp, (whMessageCert_SimpleResponse*)resp_packet); + *out_resp_size = sizeof(resp); + break; + } + /* Convert request struct */ wh_MessageCert_TranslateVerifyAcertRequest( magic, (whMessageCert_VerifyAcertRequest*)req_packet, &req); + /* Validate certificate data fits within request */ + if (req.cert_len > req_size - sizeof(req)) { + resp.rc = WH_ERROR_BADARGS; + wh_MessageCert_TranslateSimpleResponse( + magic, &resp, (whMessageCert_SimpleResponse*)resp_packet); + *out_resp_size = sizeof(resp); + break; + } + cert_data = (const uint8_t*)req_packet + sizeof(req); /* Process the verify action */