mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-26 01:05:40 +01:00
Add a missing buffer size check
This commit is contained in:
parent
bc145f7978
commit
bc231cc9b0
@ -2687,9 +2687,32 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
|
||||
size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
|
||||
| ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
|
||||
#if defined(MBEDTLS_DEBUG_C)
|
||||
unsigned char* sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n;
|
||||
unsigned char* sig_alg;
|
||||
size_t i;
|
||||
#endif
|
||||
|
||||
/*
|
||||
* The farthes access in buf is in the loop few lines below:
|
||||
* sig_alg[i + 1],
|
||||
* where:
|
||||
* sig_alg = buf + ...hdr_len + 3 + n,
|
||||
* max(i) = sig_alg_len - 1.
|
||||
* Therefore the farthest access is:
|
||||
* buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
|
||||
* which reduces to:
|
||||
* buf[...hdr_len + 3 + n + sig_alg_len],
|
||||
* which is one less than we need the buf to be.
|
||||
*/
|
||||
if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n + sig_alg_len )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
|
||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
||||
return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_DEBUG_C)
|
||||
sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n;
|
||||
for( i = 0; i < sig_alg_len; i += 2 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Signature Algorithm found: %d"
|
||||
|
Loading…
Reference in New Issue
Block a user