tls: wrap SNICallback invocation in try/catch

Wrap the owner._SNICallback() invocation in loadSNI() with try/catch
to route exceptions through owner.destroy() instead of letting them
become uncaught exceptions. This completes the fix from CVE-2026-21637
which added try/catch protection to callALPNCallback,
onPskServerCallback, and onPskClientCallback but missed loadSNI().

Without this fix, a remote unauthenticated attacker can crash any
Node.js TLS server whose SNICallback may throw on unexpected input
by sending a single TLS ClientHello with a crafted server_name value.

Fixes: https://hackerone.com/reports/3556769
Refs: https://hackerone.com/reports/3473882
CVE-ID: CVE-2026-21637
PR-URL: nodejs-private/node-private#839
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
CVE-ID: CVE-2026-21637

Author: mcollina

lib/_tls_wrap.js

@@ -209,23 +209,27 @@ function loadSNI(info) {
     return requestOCSP(owner, info);
 
   let once = false;
-  owner._SNICallback(servername, (err, context) => {
-    if (once)
-      return owner.destroy(new ERR_MULTIPLE_CALLBACK());
-    once = true;
+  try {
+    owner._SNICallback(servername, (err, context) => {
+      if (once)
+        return owner.destroy(new ERR_MULTIPLE_CALLBACK());
+      once = true;
 
-    if (err)
-      return owner.destroy(err);
+      if (err)
+        return owner.destroy(err);
 
-    if (owner._handle === null)
-      return owner.destroy(new ERR_SOCKET_CLOSED());
+      if (owner._handle === null)
+        return owner.destroy(new ERR_SOCKET_CLOSED());
 
-    // TODO(indutny): eventually disallow raw `SecureContext`
-    if (context)
-      owner._handle.sni_context = context.context || context;
+      // TODO(indutny): eventually disallow raw `SecureContext`
+      if (context)
+        owner._handle.sni_context = context.context || context;
 
-    requestOCSP(owner, info);
-  });
+      requestOCSP(owner, info);
+    });
+  } catch (err) {
+    owner.destroy(err);
+  }
 }
 
 

test/parallel/test-tls-psk-alpn-callback-exception-handling.js

@@ -335,4 +335,94 @@ describe('TLS callback exception handling', () => {
 
     await promise;
   });
+
+  // Test 7: SNI callback throwing should emit tlsClientError
+  it('SNICallback throwing emits tlsClientError', async (t) => {
+    const server = tls.createServer({
+      key: fixtures.readKey('agent2-key.pem'),
+      cert: fixtures.readKey('agent2-cert.pem'),
+      SNICallback: (servername, cb) => {
+        throw new Error('Intentional SNI callback error');
+      },
+    });
+
+    t.after(() => server.close());
+
+    const { promise, resolve, reject } = createTestPromise();
+
+    server.on('tlsClientError', common.mustCall((err, socket) => {
+      try {
+        assert.ok(err instanceof Error);
+        assert.strictEqual(err.message, 'Intentional SNI callback error');
+        socket.destroy();
+        resolve();
+      } catch (e) {
+        reject(e);
+      }
+    }));
+
+    server.on('secureConnection', () => {
+      reject(new Error('secureConnection should not fire'));
+    });
+
+    await new Promise((res) => server.listen(0, res));
+
+    const client = tls.connect({
+      port: server.address().port,
+      host: '127.0.0.1',
+      servername: 'evil.attacker.com',
+      rejectUnauthorized: false,
+    });
+
+    client.on('error', () => {});
+
+    await promise;
+  });
+
+  // Test 8: SNI callback with validation error should emit tlsClientError
+  it('SNICallback validation error emits tlsClientError', async (t) => {
+    const server = tls.createServer({
+      key: fixtures.readKey('agent2-key.pem'),
+      cert: fixtures.readKey('agent2-cert.pem'),
+      SNICallback: (servername, cb) => {
+        // Simulate common developer pattern: throw on unknown servername
+        if (servername !== 'expected.example.com') {
+          throw new Error(`Unknown servername: ${servername}`);
+        }
+        cb(null, null);
+      },
+    });
+
+    t.after(() => server.close());
+
+    const { promise, resolve, reject } = createTestPromise();
+
+    server.on('tlsClientError', common.mustCall((err, socket) => {
+      try {
+        assert.ok(err instanceof Error);
+        assert.ok(err.message.includes('Unknown servername'));
+        socket.destroy();
+        resolve();
+      } catch (e) {
+        reject(e);
+      }
+    }));
+
+    server.on('secureConnection', () => {
+      reject(new Error('secureConnection should not fire'));
+    });
+
+    await new Promise((res) => server.listen(0, res));
+
+    const client = tls.connect({
+      port: server.address().port,
+      host: '127.0.0.1',
+      servername: 'unexpected.domain.com',
+      rejectUnauthorized: false,
+    });
+
+    client.on('error', () => {});
+
+    await promise;
+  });
 });