mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-27 12:24:19 +01:00
Parse HelloVerifyRequest: avoid buffer overread on the cookie
In ssl_parse_hello_verify_request, we print cookie_len bytes without checking that there are that many bytes left in ssl->in_msg. This could potentially log data outside the received message (not a big deal) and could potentially read from memory outside of the receive buffer (which would be a remotely exploitable crash).
This commit is contained in:
parent
d6a63f4ca5
commit
99b6777b72
@ -1439,8 +1439,6 @@ static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
|
|||||||
}
|
}
|
||||||
|
|
||||||
cookie_len = *p++;
|
cookie_len = *p++;
|
||||||
MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
|
|
||||||
|
|
||||||
if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len )
|
if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1,
|
MBEDTLS_SSL_DEBUG_MSG( 1,
|
||||||
@ -1449,6 +1447,7 @@ static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
|
|||||||
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
||||||
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
||||||
}
|
}
|
||||||
|
MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
|
||||||
|
|
||||||
mbedtls_free( ssl->handshake->verify_cookie );
|
mbedtls_free( ssl->handshake->verify_cookie );
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user