Hanno Becker 0c161d1956 Fix bounds check in ssl_parse_server_psk_hint()
In the previous bounds check `(*p) > end - len`, the computation
of `end - len` might underflow if `end` is within the first 64KB
of the address space (note that the length `len` is controlled by
the peer). In this case, the bounds check will be bypassed, leading
to `*p` exceed the message bounds by up to 64KB when leaving
`ssl_parse_server_psk_hint()`. In a pure PSK-based handshake,
this doesn't seem to have any consequences, as `*p*` is not accessed
afterwards. In a PSK-(EC)DHE handshake, however, `*p` is read from
in `ssl_parse_server_ecdh_params()` and `ssl_parse_server_dh_params()`
which might lead to an application crash of information leakage.
2018-10-08 13:40:50 +01:00
..
2018-08-13 13:49:52 +03:00
2018-05-25 14:54:14 +01:00
2017-07-27 21:44:33 +01:00
2018-06-18 10:30:30 +02:00
2017-09-06 17:51:14 +03:00
2017-10-10 19:04:27 +03:00
2018-05-15 09:21:57 +01:00
2018-08-20 10:39:27 +03:00
2018-08-17 16:52:08 +01:00
2018-07-24 16:43:20 +01:00
2015-09-04 14:21:07 +02:00
2018-05-25 14:54:14 +01:00
2015-09-04 14:21:07 +02:00
2017-10-29 17:53:52 +02:00
2018-04-11 20:27:32 -04:00
2018-07-24 16:43:20 +01:00