mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-02-26 03:40:26 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add a changelog entry for the cookie parsing bounds bug

Browse Source 
Co-authored-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
This commit is contained in:
Andrzej Kurek 2022-06-06 14:54:58 -04:00
parent cfb01948c8
commit e6487ab490
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
ChangeLog.d/cookie_parsing_bug.txt Normal file
View File

@ -0,0 +1,11 @@
Security
* Fix a buffer overread in DTLS ClientHello parsing in servers with
MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled. An unauthenticated client
or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
after the end of the SSL input buffer. The buffer overread only happens
when MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that depends on
the exact configuration: 258 bytes if using mbedtls_ssl_cookie_check(),
and possibly up to 571 bytes with a custom cookie check function.
If the function provider deliberately omits these size checks, he/she
is responsible for the negative impact on his/her code.
Reported by the Cybeats PSI Team.