Fixed potential overflow in certificate size in ssl_write_certificate()

2024-11-22 11:05:40 +01:00 · 2013-12-31 11:35:16 +01:00 · 2013-12-31 11:35:16 +01:00 · 6992eb762c
commit 6992eb762c
parent 6ea1a95ce8
2 changed files with 3 additions and 1 deletions
--- a/2
+++ b/2
@ -32,6 +32,8 @@ Bugfix
   * Fixed x509_crt_parse_path() bug on Windows platforms
   * Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by
     TrustInSoft)
+   * Fixed potential overflow in certificate size verification in
+     ssl_write_certificate() (found by TrustInSoft)

 Security
   * Possible remotely-triggered out-of-bounds memory access fixed (found by
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -2453,7 +2453,7 @@ int ssl_write_certificate( ssl_context *ssl )
    while( crt != NULL )
    {
        n = crt->raw.len;
-        if( i + 3 + n > SSL_MAX_CONTENT_LEN )
+        if( n > SSL_MAX_CONTENT_LEN - 3 - i )
        {
            SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
                           i + 3 + n, SSL_MAX_CONTENT_LEN ) );