Prevent cert chain count from exceeding array max size when calling WriteCSRToBuffer.

kareem-wolfssl · kareem-wolfssl · commit d0a0c3220484 · 2026-04-15T10:53:17.000-07:00
Thanks to Zou Dikai for the report.
diff --git a/src/tls13.c b/src/tls13.c
@@ -8882,7 +8882,7 @@ static word32 NextCert(byte* data, word32 length, word32* idx)
  * extIdx    The index number of certificate status request data
  *           for the certificate.
  * offset    index offset
- * returns   Total number of bytes written.
+ * returns   Total number of bytes written on success or negative value on error.
  */
 static int WriteCSRToBuffer(WOLFSSL* ssl, DerBuffer** certExts,
                                 word16* extSz,  word16 extSz_num)
@@ -8897,6 +8897,9 @@ static int WriteCSRToBuffer(WOLFSSL* ssl, DerBuffer** certExts,
     word32 extIdx;
     DerBuffer* der;
 
+    if (extSz_num > MAX_CERT_EXTENSIONS)
+        return BAD_FUNC_ARG;
+
     ext = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST);
     csr = ext ? (CertificateStatusRequest*)ext->data : NULL;
 
@@ -9148,8 +9151,11 @@ static int SendTls13Certificate(WOLFSSL* ssl)
             if (ret != 0)
                 return ret;
 
-            ret = WriteCSRToBuffer(ssl, &ssl->buffers.certExts[0], &extSz[0],
-                    1 /* +1 for leaf */ + (word16)ssl->buffers.certChainCnt);
+            if ((word16)(1 + ssl->buffers.certChainCnt) > MAX_CERT_EXTENSIONS)
+                ret = BAD_FUNC_ARG;
+            if (ret == 0)
+                ret = WriteCSRToBuffer(ssl, &ssl->buffers.certExts[0], &extSz[0],
+                        1 /* +1 for leaf */ + (word16)ssl->buffers.certChainCnt);
             if (ret < 0)
                 return ret;
             totalextSz += ret;
