Merge remote-tracking branch 'restricted/pr/520' into development-restricted-proposed
diff --git a/ChangeLog b/ChangeLog
index 8722b27..7aa8775 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -10,6 +10,11 @@
one using PrintableString and the other UTF8String) or
in the choice of upper and lower case. Reported by
HenrikRosenquistAndersson in #1784.
+ * Fix a flawed bounds check in server PSK hint parsing. In case the
+ incoming message buffer was placed within the first 64KB of address
+ space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker
+ to trigger a memory access up to 64KB beyond the incoming message buffer,
+ potentially leading to application crash or information disclosure.
* Fix mbedtls_mpi_is_prime() to use more rounds of probabilistic testing. The
previous settings for the number of rounds made it practical for an
adversary to construct non-primes that would be erroneously accepted as
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 5720a4b..ff576f3 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -2109,7 +2109,7 @@
*
* opaque psk_identity_hint<0..2^16-1>;
*/
- if( (*p) > end - 2 )
+ if( end - (*p) < 2 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message "
"(psk_identity_hint length)" ) );
@@ -2118,7 +2118,7 @@
len = (*p)[0] << 8 | (*p)[1];
*p += 2;
- if( (*p) > end - len )
+ if( end - (*p) < (int) len )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message "
"(psk_identity_hint length)" ) );