From 196ca77e5af5a9ec2197634296098d8060e5e3c3 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 14 May 2026 18:04:38 +0000
Subject: [PATCH] Apply TlsFrameHelper bounds-check fixes from dotnet/runtime
 PR #126352

Agent-Logs-Url: https://github.com/dotnet/yarp/sessions/90a30830-2b93-4c65-baa5-92b0ab9ed17d

Co-authored-by: MihaZupan <25307628+MihaZupan@users.noreply.github.com>
---
 src/ReverseProxy/Utilities/TlsFrameHelper.cs | 21 ++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/src/ReverseProxy/Utilities/TlsFrameHelper.cs b/src/ReverseProxy/Utilities/TlsFrameHelper.cs
index dbb54ae3e9..fbdbd46bab 100644
--- a/src/ReverseProxy/Utilities/TlsFrameHelper.cs
+++ b/src/ReverseProxy/Utilities/TlsFrameHelper.cs
@@ -504,6 +504,11 @@ private static bool TryParseClientHello(ReadOnlySpan<byte> clientHello, ref TlsF
             return true;
         }
 
+        if (p.Length < sizeof(ushort))
+        {
+            return false;
+        }
+
         // client_hello_extension_list (max size 2^16-1 => size fits in 2 bytes)
         int extensionListLength = BinaryPrimitives.ReadUInt16BigEndian(p);
         p = SkipBytes(p, sizeof(ushort));
@@ -542,6 +547,11 @@ private static bool TryParseServerHello(ReadOnlySpan<byte> serverHello, ref TlsF
             return false;
         }
 
+        if (p.Length < sizeof(ushort))
+        {
+            return false;
+        }
+
         // client_hello_extension_list (max size 2^16-1 => size fits in 2 bytes)
         int extensionListLength = BinaryPrimitives.ReadUInt16BigEndian(p);
         p = SkipBytes(p, sizeof(ushort));
@@ -675,6 +685,12 @@ private static bool TryGetSniFromServerNameList(ReadOnlySpan<byte> serverNameLis
         const int HostNameLengthOffset = 0;
         const int HostNameOffset = HostNameLengthOffset + sizeof(ushort);
 
+        if (hostNameStruct.Length < HostNameOffset)
+        {
+            invalid = true;
+            return null;
+        }
+
         int hostNameLength = BinaryPrimitives.ReadUInt16BigEndian(hostNameStruct);
         var hostName = hostNameStruct.Slice(HostNameOffset);
         if (hostNameLength != hostName.Length)
@@ -704,6 +720,11 @@ private static bool TryGetSupportedVersionsFromExtension(ReadOnlySpan<byte> exte
 
         protocols = SslProtocols.None;
 
+        if (extensionData.IsEmpty)
+        {
+            return false;
+        }
+
         var supportedVersionLength = extensionData[VersionListLengthOffset];
         extensionData = extensionData.Slice(VersionListNameOffset);