From ad17fe9c377def269b4d96537f21427e4fddcdd2 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 16 Aug 2018 15:51:34 +0100 Subject: [PATCH] Fix overly strict bounds check in ssl_parse_certificate_request() --- library/ssl_cli.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 321d6367a..466608375 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2721,7 +2721,7 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) * therefore the buffer length at this point must be greater than that * regardless of the actual code path. */ - if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n ) + if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,