From 1ba01193725f4c83bf9e4b4cd589dbc9fc626152 Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Sun, 2 Dec 2018 05:48:27 +0000
Subject: [PATCH] Add a length check for certificate parsing. Fixes #1399

---
 nselib/tls.lua | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/nselib/tls.lua b/nselib/tls.lua
index e57a87f1e..e7e7b180b 100644
--- a/nselib/tls.lua
+++ b/nselib/tls.lua
@@ -1212,7 +1212,13 @@ handshake_parse = {
         end
         local b = {certificates = {}}
         while j < cert_end do
-          local cert_len, cert
+          local cert_len = unpack(">I3", buffer, j)
+          if cert_len + 3 + j > cert_end then
+            stdnse.debug1("server_certificate parsing error!")
+            j = cert_end
+            break
+          end
+          local cert
           cert, j = unpack(">s3", buffer, j)
           -- parse these with sslcert.parse_ssl_certificate
           table.insert(b["certificates"], cert)