Fix other int casts in bounds checking

Not a security issue as here we know the buffer is large enough (unless something else if badly wrong in the code), and the value cast to int is less than 2^16 (again, unless issues elsewhere). Still changing to a more correct check as a matter of principle
2024-11-22 16:55:42 +01:00 · 2015-10-21 12:35:29 +02:00 · 2015-10-21 12:35:29 +02:00 · bc5e508855
commit bc5e508855
parent 4dc9b394d3
1 changed files with 12 additions and 3 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -1095,11 +1095,16 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch
 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
    if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK )
    {
-        if( end - p < 2 + (int) psk_len )
+        if( end - p < 2 )
            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );

        *(p++) = (unsigned char)( psk_len >> 8 );
        *(p++) = (unsigned char)( psk_len      );
+
+        if( end < p || (size_t)( end - p ) < psk_len )
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+        memset( p, 0, psk_len );
        p += psk_len;
    }
    else
@ -1167,11 +1172,15 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch
    }

    /* opaque psk<0..2^16-1>; */
-    if( end - p < 2 + (int) psk_len )
-            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    if( end - p < 2 )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );

    *(p++) = (unsigned char)( psk_len >> 8 );
    *(p++) = (unsigned char)( psk_len      );
+
+    if( end < p || (size_t)( end - p ) < psk_len )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
    memcpy( p, psk, psk_len );
    p += psk_len;