additional sanity check on alert message size

[JacobBarthelmeh]

https://cloud.wolfssl-test.com/jenkins/job/fuzzer/job/fuzzer-with-com-det-sp-math-v2/2219/

[wolfSSL-Fenrir-bot]

Fenrir Automated Review — PR #10692

Scan targets checked: wolfssl-bugs, wolfssl-src

No new issues found in the changed files. ✅

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds an additional bounds/sanity check when parsing TLS alert messages to avoid reading past the end of the input buffer.

Changes:

• Extends the alert-size validation in DoAlert with an input-buffer bounds check.

Comments suppressed due to low confidence (1)

src/internal.c:1

• The new bounds check can be bypassed via integer overflow in *inOutIdx + ALERT_SIZE if *inOutIdx is near the max value of its type, potentially leading to an out-of-bounds read. Use an overflow-safe comparison (e.g., check *inOutIdx > length - ALERT_SIZE after confirming length >= ALERT_SIZE, or cast to a wider unsigned type and validate) to make the boundary check robust.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

MemBrowse Memory Report

gcc-arm-cortex-m3

• FLASH: .text +4 B (+0.0%, 121,397 B / 262,144 B, total: 46% used)

gcc-arm-cortex-m4-pq

• FLASH: .text +64 B (+0.0%, 277,944 B / 1,048,576 B, total: 27% used)

gcc-arm-cortex-m7-pq

• FLASH: .text +64 B (+0.0%, 278,520 B / 1,048,576 B, total: 27% used)
  No memory changes detected for:
• gcc-arm-cortex-m0plus
• gcc-arm-cortex-m4
• gcc-arm-cortex-m4-baremetal
• gcc-arm-cortex-m4-crypto-only
• gcc-arm-cortex-m4-dtls13
• gcc-arm-cortex-m4-min-ecc
• gcc-arm-cortex-m4-openssl-compat
• gcc-arm-cortex-m4-pkcs7
• gcc-arm-cortex-m4-rsa-only
• gcc-arm-cortex-m4-sp-math
• gcc-arm-cortex-m4-tls12
• gcc-arm-cortex-m4-tls13
• gcc-arm-cortex-m7
• gcc-arm-cortex-m7-tls13
• linuxkm-pie
• linuxkm-standard
• stm32-sim-stm32h753