mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-30 00:54:24 +01:00
Prevent bounds check bypass through overflow in PSK identity parsing
The check `if( *p + n > end )` in `ssl_parse_client_psk_identity` is unsafe because `*p + n` might overflow, thus bypassing the check. As `n` is a user-specified value up to 65K, this is relevant if the library happens to be located in the last 65K of virtual memory. This commit replaces the check by a safe version.
This commit is contained in:
parent
8a2855ee3c
commit
b2ee6b432e
@ -3145,7 +3145,7 @@ static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
|
||||
/*
|
||||
* Receive client pre-shared key identity name
|
||||
*/
|
||||
if( *p + 2 > end )
|
||||
if( end - *p < 2 )
|
||||
{
|
||||
SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
|
||||
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
||||
@ -3154,7 +3154,7 @@ static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
|
||||
n = ( (*p)[0] << 8 ) | (*p)[1];
|
||||
*p += 2;
|
||||
|
||||
if( n < 1 || n > 65535 || *p + n > end )
|
||||
if( n < 1 || n > 65535 || n > (size_t) ( end - *p ) )
|
||||
{
|
||||
SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
|
||||
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
||||
|
Loading…
Reference in New Issue
Block a user