From b8788059196c901a263d4dc510c737fd009e47a4 Mon Sep 17 00:00:00 2001 From: mohammad1603 Date: Thu, 22 Mar 2018 02:40:43 -0700 Subject: [PATCH] Verify that f_send and f_recv send and receive the expected length Verify that f_send and f_recv send and receive the expected length --- ChangeLog | 5 +++-- library/ssl_tls.c | 12 +++++++----- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index d82600c07..71f69ee20 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,8 +23,9 @@ Changes Contributed by Mathieu Briand. * Fix typo in a comment ctr_drbg.c. Contributed by Paul Sokolovsky. * Remove support for the library reference configuration for picocoin. - * Add guard to validate that out_left can not be negative. Raised by - samoconnor in #1245. + * Verify that when (f_send, f_recv and f_recv_timeout) send or receive + more than the required length an error is returned. Raised by + Sam O'Connor in #1245. = mbed TLS 2.7.0 branch released 2018-02-03 diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 0d0660e6f..2bd720410 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -2422,11 +2422,11 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) if( ret < 0 ) return( ret ); - // At this point ret value is positive, verify that adding ret - // value to ssl->in_left doesn't cause a wraparound - if (ssl->in_left + (size_t)ret < ssl->in_left) + if ( (size_t)ret > len ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "wraparound happened over in_left value" ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, + ( "f_recv returned %d bytes but only %zu were requested", + ret, len ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } @@ -2479,7 +2479,9 @@ int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl ) if( (size_t)ret > ssl->out_left ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "f_send returned value greater than out left size" ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, + ( "f_send returned %d bytes but only %zu bytes were sent", + ret, ssl->out_left ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); }