Fix heap-buffer overread in ALPN ext parsing

2024-11-22 12:45:39 +01:00 · 2018-01-09 10:43:43 +01:00 · 2018-01-09 10:43:43 +01:00 · 239987fd31
commit 239987fd31
parent 3366d373f8
2 changed files with 28 additions and 17 deletions
--- a/3
+++ b/3
@ -38,6 +38,9 @@ Security
     corrupt 6 bytes on the peer's heap, potentially leading to crash or
     remote code execution. This can be triggered remotely from either
     side in both TLS and DTLS.
+   * Fix a potential heap buffer overread in ALPN extension parsing
+     (server-side). Could result in application crash, but only if an ALPN
+     name larger than 16 bytes had been configured on the server.

 Features
   * Allow comments in test data files.
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@ -603,33 +603,41 @@ static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
    }

    /*
-     * Use our order of preference
+     * Validate peer's list (lengths)
     */
    start = buf + 2;
    end = buf + len;
+    for( theirs = start; theirs != end; theirs += cur_len )
+    {
+        cur_len = *theirs++;
+
+        /* Current identifier must fit in list */
+        if( cur_len > (size_t)( end - theirs ) )
+        {
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+        }
+
+        /* Empty strings MUST NOT be included */
+        if( cur_len == 0 )
+        {
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+        }
+    }
+
+    /*
+     * Use our order of preference
+     */
    for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ )
    {
        ours_len = strlen( *ours );
        for( theirs = start; theirs != end; theirs += cur_len )
        {
-            /* If the list is well formed, we should get equality first */
-            if( theirs > end )
-            {
-                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
-                                                MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
-                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
-            }
-
            cur_len = *theirs++;

-            /* Empty strings MUST NOT be included */
-            if( cur_len == 0 )
-            {
-                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
-                                                MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
-                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
-            }
-
            if( cur_len == ours_len &&
                memcmp( theirs, *ours, cur_len ) == 0 )
            {