| Andrzej Kurek | a39170b | 2022-06-06 14:54:58 -0400 | [diff] [blame^] | 1 | Security |
| 2 | * Fix a buffer overread in DTLS ClientHello parsing in servers with |
| 3 | MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled. An unauthenticated client |
| 4 | or a man-in-the-middle could cause a DTLS server to read up to 255 bytes |
| 5 | after the end of the SSL input buffer. The buffer overread only happens |
| 6 | when MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that depends on |
| 7 | the exact configuration: 258 bytes if using mbedtls_ssl_cookie_check(), |
| 8 | and possibly up to 571 bytes with a custom cookie check function. |
| 9 | If the function provider deliberately omits these size checks, he/she |
| 10 | is responsible for the negative impact on his/her code. |
| 11 | Reported by the Cybeats PSI Team. |