Skip to content

Dtls13: ack management improvements#10076

Merged
douzzer merged 8 commits intowolfSSL:masterfrom
rizlik:dtls13_ack_improvements
Mar 31, 2026
Merged

Dtls13: ack management improvements#10076
douzzer merged 8 commits intowolfSSL:masterfrom
rizlik:dtls13_ack_improvements

Conversation

@rizlik
Copy link
Copy Markdown
Contributor

@rizlik rizlik commented Mar 26, 2026

Improve DTLS 1.3 ACK record handling, enforcing record count limits. It also introduces comprehensive tests for these edge cases.

  • Added a strict upper bound (DTLS13_ACK_MAX_RECORDS) on the number of ACK records that can be tracked and encoded

@rizlik rizlik requested a review from julek-wolfssl March 26, 2026 14:13
@rizlik rizlik self-assigned this Mar 26, 2026
Copilot AI review requested due to automatic review settings March 26, 2026 14:13
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Improves DTLS 1.3 ACK handling by adding explicit tracking/counting of seen ACK record numbers, enforcing an upper bound during ACK list building, and adding new API tests to cover overflow and write-dup edge cases.

Changes:

  • Add DTLS13_ACK_MAX_RECORDS / DTLS13_RN_SIZE constants and track seenRecordsCount alongside the ACK record list.
  • Enforce ACK-list size constraints in Dtls13RtxAddAck() and Dtls13WriteAckMessage(), and reset the counter on flush/transfer paths.
  • Add new DTLS 1.3 ACK edge-case tests (overflow behavior and write-dup counter reset).

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
wolfssl/internal.h Adds ACK sizing macros, adds seenRecordsCount to DTLS13 RTX state, and updates DTLS13 internal/test-visible function declarations.
src/dtls13.c Implements count-based ACK list limiting/encoding and resets counter on flush/transfer/removal paths.
tests/api/test_dtls.h Registers new DTLS 1.3 ACK tests in the API test list.
tests/api/test_dtls.c Adds tests for ACK overflow bounds and write-dup counter reset behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread wolfssl/internal.h Outdated
Comment thread wolfssl/internal.h
Comment thread src/dtls13.c
julek-wolfssl
julek-wolfssl previously approved these changes Mar 26, 2026
View reviewed changes
@rizlik
Copy link
Copy Markdown
Contributor Author

rizlik commented Mar 27, 2026

retest this please

2 similar comments
@rizlik
Copy link
Copy Markdown
Contributor Author

rizlik commented Mar 28, 2026

retest this please

@rizlik
Copy link
Copy Markdown
Contributor Author

rizlik commented Mar 28, 2026

retest this please

@programsurf
Copy link
Copy Markdown

programsurf commented Mar 30, 2026

Verified this fixes the vulnerability I reported.

  • Dtls13GetAckListLength() (word16 truncation) fully removed
  • Three independent guards: insert-time cap (128), write-time validation, in-loop bounds check
  • Counter stays consistent across insert / flush / remove / write-dup transfer
  • Mutex early-return fixes are a nice bonus

Original PoC (4097 records -> 65KB heap overflow) no longer reproduces. LGTM.

— Sunwoo Lee and Seunghyun Yoon, Korea Institute of Energy Technology (KENTECH)

Copilot AI review requested due to automatic review settings March 30, 2026 14:52
Copilot AI reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/dtls13.c
Comment thread wolfssl/internal.h Outdated
@rizlik
Copy link
Copy Markdown
Contributor Author

rizlik commented Mar 30, 2026

retest this please

@douzzer douzzer added For This Release Release version 5.9.1 Staged Staged for merge pending final test results and review labels Mar 30, 2026
@douzzer douzzer merged commit 5f54de0 into wolfSSL:master Mar 31, 2026
648 of 650 checks passed
@github-actions github-actions Bot mentioned this pull request Apr 10, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@douzzer douzzer douzzer approved these changes

@julek-wolfssl julek-wolfssl julek-wolfssl left review comments

Assignees

@rizlik rizlik

@wolfSSL-Bot wolfSSL-Bot

Labels

For This Release Release version 5.9.1 Staged Staged for merge pending final test results and review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@rizlik @programsurf @douzzer @julek-wolfssl @wolfSSL-Bot