From 5ca3640fa745f73db6fd15d8512b93fb00506bec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 21 Oct 2015 12:35:29 +0200 Subject: [PATCH] Fix other int casts in bounds checking Not a security issue as here we know the buffer is large enough (unless something else if badly wrong in the code), and the value cast to int is less than 2^16 (again, unless issues elsewhere). Still changing to a more correct check as a matter of principle backport of bc5e508 --- library/ssl_tls.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 166b116e7..82d038059 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -949,11 +949,16 @@ int ssl_psk_derive_premaster( ssl_context *ssl, key_exchange_type_t key_ex ) #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) if( key_ex == POLARSSL_KEY_EXCHANGE_PSK ) { - if( end - p < 2 + (int) ssl->psk_len ) + if( end - p < 2 ) return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); *(p++) = (unsigned char)( ssl->psk_len >> 8 ); *(p++) = (unsigned char)( ssl->psk_len ); + + if( end < p || (size_t)( end - p ) < ssl->psk_len ) + return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); + + memset( p, 0, ssl->psk_len ); p += ssl->psk_len; } else @@ -1021,11 +1026,15 @@ int ssl_psk_derive_premaster( ssl_context *ssl, key_exchange_type_t key_ex ) } /* opaque psk<0..2^16-1>; */ - if( end - p < 2 + (int) ssl->psk_len ) - return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); + if( end - p < 2 ) + return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); *(p++) = (unsigned char)( ssl->psk_len >> 8 ); *(p++) = (unsigned char)( ssl->psk_len ); + + if( end < p || (size_t)( end - p ) < ssl->psk_len ) + return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); + memcpy( p, ssl->psk, ssl->psk_len ); p += ssl->psk_len;