networking · intermediate · ~15 min · safe pentest lab

Extract the SNI host from a TLS extension

Bounds-safe parsing of a length-prefixed TLS field.

Challenge

Your job

#include <stdint.h>
#include <stddef.h>
int extract_sni(const uint8_t *ext, size_t n, char *out, size_t cap);

ext is the SNI extension payload: [list_len:2][name_type:1][name_len:2][host...] (all lengths big-endian). Copy the host into out, NUL-terminated. Return the host length, or -1 on NULL/short input, a non-0x00 (host_name) type, a length that runs past n, or output overflow.

Hints

Big-endian 16-bit: (ext[0]<<8)|ext[1].
name_type must be 0x00 (host_name).
Host bytes start at offset 5; check 5+name_len<=n and name_len+1<=cap.

Why this matters

The SNI extension carries the hostname in plaintext in a ClientHello — the field every passive TLS monitor reads. Parsing it safely is the lesson.

Starter code

#include <stdint.h>
#include <stddef.h>
int extract_sni(const uint8_t *ext, size_t n, char *out, size_t cap) {
    /* TODO */
    (void)ext; (void)n; (void)out; (void)cap;
    return -1;
}

Common mistakes

Reading lengths little-endian. Skipping the type check. Forgetting the NUL terminator's byte in the capacity check.

Edge cases to handle

Non-host type. Truncated host. Tiny output buffer.

Complexity

O(name_len).

Background lessons

TLS handshake bytes — where SNI lives

Up next

Classify an ARP frame

Solve this exercise in the browser editor — compile and run against the test harness, no setup required.