mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-26 00:15:37 +01:00
Correct buffer size check
Further in the code the next field from the binary buffer is read. The check contained an off by one error.
This commit is contained in:
parent
f3ada4adb0
commit
bc145f7978
@ -2662,7 +2662,17 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
|
|||||||
cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
|
cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
|
||||||
n = cert_type_len;
|
n = cert_type_len;
|
||||||
|
|
||||||
if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
|
/*
|
||||||
|
* In the subsequent code there are two paths that make read from buf:
|
||||||
|
* * the length of the signature algorithms field (if minor version of
|
||||||
|
* SSL is 3),
|
||||||
|
* * distinguished name length otherwise.
|
||||||
|
* Both reach at most the index:
|
||||||
|
* ...hdr_len + 2 + n,
|
||||||
|
* therefore the buffer length at this point must be greater than that
|
||||||
|
* regardless of the actual code path.
|
||||||
|
*/
|
||||||
|
if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
|
||||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||||
|
Loading…
Reference in New Issue
Block a user