From 9a1396bfcc2bc2c43aa94f2fdffcfb4341c229b7 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 16 Nov 2022 11:04:48 +0100 Subject: [PATCH] Add ChangeLog Signed-off-by: Ronald Cron --- ChangeLog.d/fix-in-cid-buffer-size.txt | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 ChangeLog.d/fix-in-cid-buffer-size.txt diff --git a/ChangeLog.d/fix-in-cid-buffer-size.txt b/ChangeLog.d/fix-in-cid-buffer-size.txt new file mode 100644 index 0000000000..c8ede1f1c8 --- /dev/null +++ b/ChangeLog.d/fix-in-cid-buffer-size.txt @@ -0,0 +1,15 @@ +Bugfix + * Fix potential buffer overflow in DTLS with MBEDTLS_SSL_DTLS_CONNECTION_ID + enabled leading to context corruption. + +Security + * Fix potential memory probe through non-constant time memcmp() in DTLS + with MBEDTLS_SSL_DTLS_CONNECTION_ID enabled. The memory probe is possible + only under very specific and unlikely conditions: + 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX < MBEDTLS_SSL_CID_IN_LEN_MAX if + MBEDTLS_SSL_CONTEXT_SERIALIZATION is disabled, + MBEDTLS_SERVER_HELLO_RANDOM_LEN + MBEDTLS_CLIENT_HELLO_RANDOM_LEN + + 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX < MBEDTLS_SSL_CID_IN_LEN_MAX if + MBEDTLS_SSL_CONTEXT_SERIALIZATION is enabled. Those conditions are not + met with the default values of MBEDTLS_SSL_CID_IN_LEN_MAX and + MBEDTLS_SSL_CID_OUT_LEN_MAX where the two maximum lengths are equal.