Merge pull request #972 from ronald-cron-arm/buffer-overflow-in-cid-fix

Fix in_cid buffer size in transform structure
2025-01-26 12:35:20 +00:00 · 2022-11-18 09:48:12 +01:00 · 2022-11-18 09:48:12 +01:00 · b7805b0a67
commit b7805b0a67
parent faefe62013 5dc7999946
2 changed files with 5 additions and 1 deletions
--- a/ChangeLog.d/fix-in-cid-buffer-size.txt
+++ b/ChangeLog.d/fix-in-cid-buffer-size.txt
@ -0,0 +1,4 @@
+Security
+    * Fix potential heap buffer overread and overwrite in DTLS if
+      MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
+      MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX.
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@ -1021,7 +1021,7 @@ struct mbedtls_ssl_transform
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
    uint8_t in_cid_len;
    uint8_t out_cid_len;
-    unsigned char in_cid [ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
+    unsigned char in_cid [ MBEDTLS_SSL_CID_IN_LEN_MAX ];
    unsigned char out_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */