diff --git a/ChangeLog b/ChangeLog index c94218e74a..69b4b63674 100644 --- a/ChangeLog +++ b/ChangeLog @@ -64,6 +64,8 @@ Bugfix * Fix buffer length assertions in the ssl_parse_certificate_request() function which leads to a potential one byte overread of the message buffer. + * Fix invalid buffer sizes passed to zlib during record compression and + decompression. Changes * Remove some redundant code in bignum.c. Contributed by Alexey Skalozub. @@ -109,6 +111,7 @@ Changes MBEDTLS_XXX_ALT macro. This means that alternative implementations do not need to copy the declarations, and ensures that they will have the same API. + * Add platform setup and teardown calls in test suites. = mbed TLS 2.8.0 branch released 2018-03-16 diff --git a/library/ssl_tls.c b/library/ssl_tls.c index e8063d2c1a..8a903c563f 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -2108,6 +2108,7 @@ static int ssl_compress_buf( mbedtls_ssl_context *ssl ) { int ret; unsigned char *msg_post = ssl->out_msg; + ptrdiff_t bytes_written = ssl->out_msg - ssl->out_buf; size_t len_pre = ssl->out_msglen; unsigned char *msg_pre = ssl->compress_buf; @@ -2127,7 +2128,7 @@ static int ssl_compress_buf( mbedtls_ssl_context *ssl ) ssl->transform_out->ctx_deflate.next_in = msg_pre; ssl->transform_out->ctx_deflate.avail_in = len_pre; ssl->transform_out->ctx_deflate.next_out = msg_post; - ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_BUFFER_LEN; + ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_BUFFER_LEN - bytes_written; ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH ); if( ret != Z_OK ) @@ -2137,7 +2138,7 @@ static int ssl_compress_buf( mbedtls_ssl_context *ssl ) } ssl->out_msglen = MBEDTLS_SSL_BUFFER_LEN - - ssl->transform_out->ctx_deflate.avail_out; + ssl->transform_out->ctx_deflate.avail_out - bytes_written; MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ", ssl->out_msglen ) ); @@ -2154,6 +2155,7 @@ static int ssl_decompress_buf( mbedtls_ssl_context *ssl ) { int ret; unsigned char *msg_post = ssl->in_msg; + ptrdiff_t header_bytes = ssl->in_msg - ssl->in_buf; size_t len_pre = ssl->in_msglen; unsigned char *msg_pre = ssl->compress_buf; @@ -2173,7 +2175,8 @@ static int ssl_decompress_buf( mbedtls_ssl_context *ssl ) ssl->transform_in->ctx_inflate.next_in = msg_pre; ssl->transform_in->ctx_inflate.avail_in = len_pre; ssl->transform_in->ctx_inflate.next_out = msg_post; - ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_MAX_CONTENT_LEN; + ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_BUFFER_LEN - + header_bytes; ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH ); if( ret != Z_OK ) @@ -2182,8 +2185,8 @@ static int ssl_decompress_buf( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED ); } - ssl->in_msglen = MBEDTLS_SSL_MAX_CONTENT_LEN - - ssl->transform_in->ctx_inflate.avail_out; + ssl->in_msglen = MBEDTLS_SSL_BUFFER_LEN - + ssl->transform_in->ctx_inflate.avail_out - header_bytes; MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ", ssl->in_msglen ) ); diff --git a/tests/suites/helpers.function b/tests/suites/helpers.function index eef41c79a6..f82694ada1 100644 --- a/tests/suites/helpers.function +++ b/tests/suites/helpers.function @@ -109,6 +109,9 @@ static struct } test_info; +#if defined(MBEDTLS_PLATFORM_C) +mbedtls_platform_context platform_ctx; +#endif /*----------------------------------------------------------------------------*/ /* Helper flags for complex dependencies */ @@ -127,6 +130,21 @@ test_info; /*----------------------------------------------------------------------------*/ /* Helper Functions */ +static int platform_setup() +{ + int ret = 0; +#if defined(MBEDTLS_PLATFORM_C) + ret = mbedtls_platform_setup( &platform_ctx ); +#endif /* MBEDTLS_PLATFORM_C */ + return( ret ); +} + +static void platform_teardown() +{ +#if defined(MBEDTLS_PLATFORM_C) + mbedtls_platform_teardown( &platform_ctx ); +#endif /* MBEDTLS_PLATFORM_C */ +} #if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__)) static int redirect_output( FILE** out_stream, const char* path ) diff --git a/tests/suites/main_test.function b/tests/suites/main_test.function index 042085f0ba..1390f9fbba 100644 --- a/tests/suites/main_test.function +++ b/tests/suites/main_test.function @@ -281,6 +281,18 @@ int main(int argc, const char *argv[]) #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && \ !defined(TEST_SUITE_MEMORY_BUFFER_ALLOC) unsigned char alloc_buf[1000000]; +#endif + /* Platform setup should be called in the beginning */ + ret = platform_setup(); + if( ret != 0 ) + { + mbedtls_fprintf( stderr, + "FATAL: Failed to initialize platform - error %d\n", + ret ); + return( -1 ); + } +#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && \ + !defined(TEST_SUITE_MEMORY_BUFFER_ALLOC) mbedtls_memory_buffer_alloc_init( alloc_buf, sizeof(alloc_buf) ); #endif @@ -293,6 +305,7 @@ int main(int argc, const char *argv[]) if( pointer != NULL ) { mbedtls_fprintf( stderr, "all-bits-zero is not a NULL pointer\n" ); + platform_teardown(); return( 1 ); } @@ -302,7 +315,8 @@ int main(int argc, const char *argv[]) if( run_test_snprintf() != 0 ) { mbedtls_fprintf( stderr, "the snprintf implementation is broken\n" ); - return( 0 ); + platform_teardown(); + return( 1 ); } while( arg_index < argc) @@ -318,6 +332,7 @@ int main(int argc, const char *argv[]) strcmp(next_arg, "-h" ) == 0 ) { mbedtls_fprintf( stdout, USAGE ); + platform_teardown(); mbedtls_exit( EXIT_SUCCESS ); } else @@ -357,6 +372,7 @@ int main(int argc, const char *argv[]) { mbedtls_fprintf( stderr, "Failed to open test file: %s\n", test_filename ); + platform_teardown(); return( 1 ); } @@ -366,6 +382,7 @@ int main(int argc, const char *argv[]) { mbedtls_fprintf( stderr, "FATAL: Dep count larger than zero at start of loop\n" ); + platform_teardown(); mbedtls_exit( MBEDTLS_EXIT_FAILURE ); } unmet_dep_count = 0; @@ -402,6 +419,7 @@ int main(int argc, const char *argv[]) if( unmet_dependencies[ unmet_dep_count ] == NULL ) { mbedtls_fprintf( stderr, "FATAL: Out of memory\n" ); + platform_teardown(); mbedtls_exit( MBEDTLS_EXIT_FAILURE ); } unmet_dep_count++; @@ -427,6 +445,7 @@ int main(int argc, const char *argv[]) stdout_fd = redirect_output( &stdout, "/dev/null" ); if( stdout_fd == -1 ) { + platform_teardown(); /* Redirection has failed with no stdout so exit */ exit( 1 ); } @@ -439,6 +458,7 @@ int main(int argc, const char *argv[]) if( !option_verbose && restore_output( &stdout, stdout_fd ) ) { /* Redirection has failed with no stdout so exit */ + platform_teardown(); exit( 1 ); } #endif /* __unix__ || __APPLE__ __MACH__ */ @@ -490,6 +510,7 @@ int main(int argc, const char *argv[]) { mbedtls_fprintf( stderr, "FAILED: FATAL PARSE ERROR\n" ); fclose( file ); + platform_teardown(); mbedtls_exit( 2 ); } else @@ -501,6 +522,7 @@ int main(int argc, const char *argv[]) { mbedtls_fprintf( stderr, "Should be empty %d\n", (int) strlen( buf ) ); + platform_teardown(); return( 1 ); } } @@ -533,5 +555,6 @@ int main(int argc, const char *argv[]) close_output( stdout ); #endif /* __unix__ || __APPLE__ __MACH__ */ + platform_teardown(); return( total_errors != 0 ); }