Ensure the length computed by CheckHeaders in the SSL sniffer does not exceed the actual size of the packets.

[kareem-wolfssl]

Description

Fixes zd#21325

Thanks to Haruto Kimura (Stella) for the report.

Testing

Provided reproducer + built in tests

Checklist

• added tests
• updated/added doxygen
• updated appropriate READMEs
• Updated manual and documentation

[Copilot]

Pull request overview

Prevents the SSL sniffer’s CheckHeaders length calculation from reporting more SSL bytes than are actually available in the captured packet, avoiding out-of-bounds parsing.

Changes:

• Added a bounds check to ensure *sslBytes does not exceed the remaining captured packet length.
• On mismatch, sets an error and returns WOLFSSL_FATAL_ERROR.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The expression (length - (*sslFrame - packet)) mixes length with a pointer-difference. If length is an unsigned type (common for packet sizes), and (*sslFrame - packet) is greater than length, the subtraction can underflow and yield a large value, potentially bypassing the intended safety check. Consider splitting this into (1) an explicit check that the frame offset is within length, and (2) computing remaining = length - offset using a single, consistent unsigned type (e.g., size_t) before comparing to *sslBytes.

[Copilot]

PACKET_HDR_SHORT_STR may be misleading here since the failure is specifically “computed SSL bytes exceed captured packet length” (an internal inconsistency) rather than simply a short header. If the project has a more specific error for length inconsistencies, prefer that; otherwise consider introducing/using an error string that states the SSL record length exceeds the available captured bytes to improve diagnosability.

Suggested change

	SetError(PACKET_HDR_SHORT_STR, error, NULL, 0);
	SetError("SSL record length exceeds available captured bytes",
	error, NULL, 0);

[philljj]

Retest this please.