Fix unsafe bounds checks in ssl_load_session() Fixes #659 reported by Guido Vranken.

commit: 137015c1b12c4cbf7ca60c49911f59f48b5600e4 [log] [tgz]
author: Hanno Becker <hanno.becker@arm.com> Wed Oct 24 13:33:02 2018 +0100
committer: Hanno Becker <hanno.becker@arm.com> Thu Oct 25 16:07:08 2018 +0100
tree: 7464b87a52562aafadbe16e50436684b877b7e9f
parent: 9543373668c933027eb2976307db91ff71529b1e [diff] [blame]
diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c
index 97ea641..5a5445f 100644
--- a/library/ssl_ticket.c
+++ b/library/ssl_ticket.c

@@ -215,14 +215,14 @@
     size_t cert_len;
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
-    if( p + sizeof( mbedtls_ssl_session ) > end )
+    if( sizeof( mbedtls_ssl_session ) > (size_t)( end - p ) )
         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
 
     memcpy( session, p, sizeof( mbedtls_ssl_session ) );
     p += sizeof( mbedtls_ssl_session );
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
-    if( p + 3 > end )
+    if( 3 > (size_t)( end - p ) )
         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
 
     cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
@@ -236,7 +236,7 @@
     {
         int ret;
 
-        if( p + cert_len > end )
+        if( cert_len > (size_t)( end - p ) )
             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
 
         session->peer_cert = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
commit	137015c1b12c4cbf7ca60c49911f59f48b5600e4	[log] [tgz]
author	Hanno Becker <hanno.becker@arm.com>	Wed Oct 24 13:33:02 2018 +0100
committer	Hanno Becker <hanno.becker@arm.com>	Thu Oct 25 16:07:08 2018 +0100
tree	7464b87a52562aafadbe16e50436684b877b7e9f
parent	9543373668c933027eb2976307db91ff71529b1e [diff] [blame]