commit 747fd539380ed5d37e0927b4d2fb5326f2aca104
author Philippe Antoine <contact@catenacyber.fr> Wed May 30 09:13:21 2018 +0200
committer Philippe Antoine <contact@catenacyber.fr> Tue Jun 05 16:13:10 2018 +0200
tree 78223885434a411899d98da9123fdf0a7339b7d4
parent 10438e17fc2e03c7da449d0d6aea20454c4202e2

Fixes different off by ones

library/ssl_cli.c

diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 7455e99..f89972a 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -1247,14 +1247,14 @@
     size_t list_size;
     const unsigned char *p;
 
-    list_size = buf[0];
-    if( list_size + 1 != len )
+    if( len == 0 || (size_t)( buf[0] + 1 ) != len )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
         return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
     }
+    list_size = buf[0];
 
     p = buf + 1;
     while( list_size > 0 )
@@ -2711,7 +2711,7 @@
      * therefore the buffer length at this point must be greater than that
      * regardless of the actual code path.
      */
-    if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
+    if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,