commit 6085c721d2fa0a8b0e38fc5ce9d0735232fe1cae
author mohammad1603 <mohammad.abomokh@arm.com> Thu Feb 22 04:29:04 2018 -0800
committer mohammad1603 <mohammad.abomokh@arm.com> Sun Feb 25 01:18:46 2018 -0800
tree fbadeae718c32db8c518aa87634f5c63f52f4621
parent 3f9cff20d7769770983052c4a726db4c972215b2

Backport 2.7:Add guard to out_left to avoid negative values

Add guard to out_left to avoid negative values

ChangeLog

diff --git a/ChangeLog b/ChangeLog
index 09bb3cb..2deaafb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -33,6 +33,8 @@
    * Fix typo in a comment ctr_drbg.c. Contributed by Paul Sokolovsky.
    * MD functions deprecated in 2.7.0 are no longer inline, to provide
      a migration path for those depending on the library's ABI.
+   * Add guard to validate that out_left can not be negative. Raised by 
+     samoconnor in #1245.
 
 = mbed TLS 2.7.0 branch released 2018-02-03
 

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index ff52104..027fdd2 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2481,6 +2481,12 @@
         if( ret <= 0 )
             return( ret );
 
+        if( (size_t)ret > ssl->out_left )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "f_send returned value greater than out left size" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
         ssl->out_left -= ret;
     }