yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-25 17:05:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix potential NULL dereference on bad usage

Browse Source
This commit is contained in:
Manuel Pégourié-Gonnard 2015-04-15 19:09:03 +02:00
parent ce60fbeb30
commit a2fce21ae5
2 changed files with 46 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog
View File

@ -27,6 +27,9 @@ Features
errors on use of deprecated functions. errors on use of deprecated functions.
Bugfix Bugfix
* Fix potential NULL pointer dereference (not trigerrable remotely) when
ssl_write() is called before the handshake is finished (introduced in
1.3.10) (first reported by Martin Blumenstingl).
* Fix bug in pk_parse_key() that caused some valid private EC keys to be * Fix bug in pk_parse_key() that caused some valid private EC keys to be
rejected. rejected.
* Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos). * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).

71
library/ssl_tls.c
View File

@ -4754,37 +4754,16 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
} }
/* /*
* Send application data to be encrypted by the SSL layer * Send application data to be encrypted by the SSL layer,
* taking care of max fragment length and buffer size
*/ */
#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING) static int ssl_write_real( ssl_context *ssl,
static int ssl_write_real( ssl_context *ssl, const unsigned char *buf, size_t len ) const unsigned char *buf, size_t len )
#else
int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
#endif
{ {
int ret; int ret;
size_t n; size_t n;
unsigned int max_len = SSL_MAX_CONTENT_LEN; unsigned int max_len = SSL_MAX_CONTENT_LEN;
SSL_DEBUG_MSG( 2, ( "=> write" ) );
#if defined(POLARSSL_SSL_RENEGOTIATION)
if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
{
SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
return( ret );
}
#endif
if( ssl->state != SSL_HANDSHAKE_OVER )
{
if( ( ret = ssl_handshake( ssl ) ) != 0 )
{
SSL_DEBUG_RET( 1, "ssl_handshake", ret );
return( ret );
}
}
#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
/* /*
* Assume mfl_code is correct since it was checked when set * Assume mfl_code is correct since it was checked when set
@ -4824,8 +4803,6 @@ int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
} }
} }
SSL_DEBUG_MSG( 2, ( "<= write" ) );
return( (int) n ); return( (int) n );
} }
@ -4837,7 +4814,8 @@ int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
* remember wether we already did the split or not. * remember wether we already did the split or not.
*/ */
#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING) #if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len ) static int ssl_write_split( ssl_context *ssl,
const unsigned char *buf, size_t len )
{ {
int ret; int ret;
@ -4865,6 +4843,43 @@ int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
} }
#endif /* POLARSSL_SSL_CBC_RECORD_SPLITTING */ #endif /* POLARSSL_SSL_CBC_RECORD_SPLITTING */
/*
* Write application data (public-facing wrapper)
*/
int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
{
int ret;
SSL_DEBUG_MSG( 2, ( "=> write" ) );
#if defined(POLARSSL_SSL_RENEGOTIATION)
if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
{
SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
return( ret );
}
#endif
if( ssl->state != SSL_HANDSHAKE_OVER )
{
if( ( ret = ssl_handshake( ssl ) ) != 0 )
{
SSL_DEBUG_RET( 1, "ssl_handshake", ret );
return( ret );
}
}
#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
ret = ssl_write_split( ssl, buf, len );
#else
ret = ssl_write_real( ssl, buf, len );
#endif
SSL_DEBUG_MSG( 2, ( "<= write" ) );
return( ret );
}
/* /*
* Notify the peer that the connection is being closed * Notify the peer that the connection is being closed
*/ */