Ensure ProcessChainOCSPRequest does not exceed the length of the cert chain.

kareem-wolfssl · kareem-wolfssl · commit 5d0e050271f0 · 2026-04-15T10:53:17.000-07:00
Thanks to Zou Dikai for the report.
diff --git a/src/tls.c b/src/tls.c
@@ -3614,6 +3614,12 @@ int ProcessChainOCSPRequest(WOLFSSL* ssl)
 
     if (chain && chain->buffer) {
         while (ret == 0 && pos + OPAQUE24_LEN < chain->length) {
+            if (i >= MAX_CERT_EXTENSIONS) {
+                WOLFSSL_MSG("OCSP request cert chain exceeds maximum length.");
+                ret = MAX_CERT_EXTENSIONS_ERR;
+                break;
+            }
+
             c24to32(chain->buffer + pos, &der.length);
             pos += OPAQUE24_LEN;
             der.buffer = chain->buffer + pos;
diff --git a/src/tls13.c b/src/tls13.c
@@ -8898,7 +8898,7 @@ static int WriteCSRToBuffer(WOLFSSL* ssl, DerBuffer** certExts,
     DerBuffer* der;
 
     if (extSz_num > MAX_CERT_EXTENSIONS)
-        return BAD_FUNC_ARG;
+        return MAX_CERT_EXTENSIONS_ERR;
 
     ext = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST);
     csr = ext ? (CertificateStatusRequest*)ext->data : NULL;
@@ -9152,7 +9152,7 @@ static int SendTls13Certificate(WOLFSSL* ssl)
                 return ret;
 
             if ((word16)(1 + ssl->buffers.certChainCnt) > MAX_CERT_EXTENSIONS)
-                ret = BAD_FUNC_ARG;
+                ret = MAX_CERT_EXTENSIONS_ERR;
             if (ret == 0)
                 ret = WriteCSRToBuffer(ssl, &ssl->buffers.certExts[0], &extSz[0],
                         1 /* +1 for leaf */ + (word16)ssl->buffers.certChainCnt);
