tls: fix out-of-bounds read in ClientHelloParser

ClientHelloParser::ParseHeader(data, avail) potentially accesses data
beyond avail bytes because it trusts the client to transmit a valid
frame length. Sending an impossibly small frame length causes the TLS
server to read beyond the buffer provided by the caller.

Guard against this by calling End() on the ClientHelloParser when the
client transmits an impossibly small frame length.

The test is designed to reliable cause a segmentation fault on Linux and
Windows when the buffer overrun occurs, and to trigger a spatial safety
violation when compiled with an address sanitizer enabled or when
running under valgrind.

PR-URL: https://github.com/nodejs/node/pull/44580
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>

1 files changed, 5 insertions, 0 deletions

diff --git a/src/crypto/crypto_clienthello.cc b/src/crypto/crypto_clienthello.cc
index 5a0be70bc11..7da05e9b474 100644
--- a/src/crypto/crypto_clienthello.cc
+++ b/src/crypto/crypto_clienthello.cc
@@ -75,6 +75,11 @@ bool ClientHelloParser::ParseRecordHeader(const uint8_t* data, size_t avail) {
 void ClientHelloParser::ParseHeader(const uint8_t* data, size_t avail) {
   ClientHello hello;
 
+  // We need at least six bytes (one byte for kClientHello, three bytes for the
+  // length of the handshake message, and two bytes for the protocol version).
+  // If the client sent a frame that suggests a smaller ClientHello, give up.
+  if (frame_len_ < 6) return End();
+
   // >= 5 + frame size bytes for frame parsing
   if (body_offset_ + frame_len_ > avail)
     return;