yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-22 22:25:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix other int casts in bounds checking

Browse Source 
Not a security issue as here we know the buffer is large enough (unless
something else if badly wrong in the code), and the value cast to int is less
than 2^16 (again, unless issues elsewhere).

Still changing to a more correct check as a matter of principle
This commit is contained in:
Manuel Pégourié-Gonnard 2015-10-21 12:35:29 +02:00
parent 4dc9b394d3
commit bc5e508855
1 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
library/ssl_tls.c
View File

@ -1095,11 +1095,16 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK ) if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK )
{ {
if( end - p < 2 + (int) psk_len ) if( end - p < 2 )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
*(p++) = (unsigned char)( psk_len >> 8 ); *(p++) = (unsigned char)( psk_len >> 8 );
*(p++) = (unsigned char)( psk_len ); *(p++) = (unsigned char)( psk_len );
if( end < p || (size_t)( end - p ) < psk_len )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
memset( p, 0, psk_len );
p += psk_len; p += psk_len;
} }
else else
@ -1167,11 +1172,15 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch
} }
/* opaque psk<0..2^16-1>; */ /* opaque psk<0..2^16-1>; */
if( end - p < 2 + (int) psk_len ) if( end - p < 2 )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
*(p++) = (unsigned char)( psk_len >> 8 ); *(p++) = (unsigned char)( psk_len >> 8 );
*(p++) = (unsigned char)( psk_len ); *(p++) = (unsigned char)( psk_len );
if( end < p || (size_t)( end - p ) < psk_len )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
memcpy( p, psk, psk_len ); memcpy( p, psk, psk_len );
p += psk_len; p += psk_len;