Fix incrementing pointer instead of value
This was introduced by a hasty search-and-replace that didn't account for C's
operator precedence when changing those variables to pointer types.
diff --git a/ChangeLog b/ChangeLog
index b8dc65c..ef2e7b7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,15 @@
mbed TLS ChangeLog (Sorted per branch, date)
+= mbed TLS 2.16.5 branch released xxxx-xx-xx
+
+Security
+ * Fix potential memory overread when performing an ECDSA signature
+ operation. The overread only happens with cryptographically low
+ probability (of the order of 2^-n where n is the bitsize of the curve)
+ unless the RNG is broken, and could result in information disclosure or
+ denial of service (application crash or extra resource consumption).
+ Reported by Peter and Auke (found using static analysis).
+
= mbed TLS 2.16.4 branch released 2020-01-15
Security
diff --git a/library/ecdsa.c b/library/ecdsa.c
index 3cf3d7c..6b72e0d 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -297,7 +297,7 @@
*p_sign_tries = 0;
do
{
- if( *p_sign_tries++ > 10 )
+ if( (*p_sign_tries)++ > 10 )
{
ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
goto cleanup;
@@ -310,7 +310,7 @@
*p_key_tries = 0;
do
{
- if( *p_key_tries++ > 10 )
+ if( (*p_key_tries)++ > 10 )
{
ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
goto cleanup;