mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-01 04:20:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add missing sid_len in calculations of cookie sizes

Browse Source 
This could lead to a potential buffer overread with small
MBEDTLS_SSL_IN_CONTENT_LEN.
Change the bound calculations so that it is apparent
what lengths and sizes are used.

Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
This commit is contained in:
Andrzej Kurek 2022-06-06 14:42:41 -04:00
parent 364fd8bb71
commit c8183cc492
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
library/ssl_msg.c
View File

@ -3205,7 +3205,7 @@ static int ssl_check_dtls_clihlo_cookie(
} }
sid_len = in[59]; sid_len = in[59];
if( sid_len > in_len - 61 ) if( 59 + 1 + sid_len + 1 > in_len )
{ {
MBEDTLS_SSL_DEBUG_MSG( 4, ( "check cookie: sid_len=%u > %u", MBEDTLS_SSL_DEBUG_MSG( 4, ( "check cookie: sid_len=%u > %u",
(unsigned) sid_len, (unsigned) sid_len,
@ -3216,10 +3216,11 @@ static int ssl_check_dtls_clihlo_cookie(
in + 60, sid_len ); in + 60, sid_len );
cookie_len = in[60 + sid_len]; cookie_len = in[60 + sid_len];
if( cookie_len > in_len - 60 ) { if( 59 + 1 + sid_len + 1 + cookie_len > in_len )
{
MBEDTLS_SSL_DEBUG_MSG( 4, ( "check cookie: cookie_len=%u > %u", MBEDTLS_SSL_DEBUG_MSG( 4, ( "check cookie: cookie_len=%u > %u",
(unsigned) cookie_len, (unsigned) cookie_len,
(unsigned) in_len - 60 ) ); (unsigned) ( in_len - sid_len - 61 ) ) );
return( MBEDTLS_ERR_SSL_DECODE_ERROR ); return( MBEDTLS_ERR_SSL_DECODE_ERROR );
} }