Add a changelog entry for the cookie parsing bounds bug
Co-authored-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
diff --git a/ChangeLog.d/cookie_parsing_bug.txt b/ChangeLog.d/cookie_parsing_bug.txt
new file mode 100644
index 0000000..a5f5875
--- /dev/null
+++ b/ChangeLog.d/cookie_parsing_bug.txt
@@ -0,0 +1,11 @@
+Security
+ * Fix a buffer overread in DTLS ClientHello parsing in servers with
+ MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled. An unauthenticated client
+ or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
+ after the end of the SSL input buffer. The buffer overread only happens
+ when MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that depends on
+ the exact configuration: 258 bytes if using mbedtls_ssl_cookie_check(),
+ and possibly up to 571 bytes with a custom cookie check function.
+ If the function provider deliberately omits these size checks, he/she
+ is responsible for the negative impact on his/her code.
+ Reported by the Cybeats PSI Team.