From faee44ded16eb289fe449693c1691763e8390b4a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg2@elzevir.fr>
Date: Thu, 24 Sep 2015 22:19:58 +0200
Subject: [PATCH] Avoid false positives in bounds check

The size of the buffer already accounts for the extra data before the actual
message, so the allowed length is SSL_MAX_CONTENT_LEN starting from _msg
---
 library/ssl_cli.c | 2 +-
 library/ssl_srv.c | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index c0386b697..49ea5a200 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -287,7 +287,7 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
 {
     int ret;
     unsigned char *p = buf;
-    const unsigned char *end = ssl->out_buf + MBEDTLS_SSL_MAX_CONTENT_LEN;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
     size_t kkpp_len;
 
     *olen = 0;
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 8be7ac586..ce833ef29 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -2062,7 +2062,7 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
 {
     int ret;
     unsigned char *p = buf;
-    const unsigned char *end = ssl->out_buf + MBEDTLS_SSL_MAX_CONTENT_LEN;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
     size_t kkpp_len;
 
     *olen = 0;
@@ -2679,7 +2679,7 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
     {
         size_t jlen;
-        const unsigned char *end = ssl->out_buf + MBEDTLS_SSL_MAX_CONTENT_LEN;
+        const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
 
         ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
                 p, end - p, &jlen, ssl->conf->f_rng, ssl->conf->p_rng );