tls13: srv: Fix potential stack buffer overread
Fix potential stack buffer overread when
checking PSK binders.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
diff --git a/ChangeLog.d/binder-overread.txt b/ChangeLog.d/binder-overread.txt
new file mode 100644
index 0000000..c0ed4b7
--- /dev/null
+++ b/ChangeLog.d/binder-overread.txt
@@ -0,0 +1,4 @@
+Security
+ * Fix a stack buffer overread (less than 256 bytes) when parsing a TLS 1.3
+ ClientHello in a TLS 1.3 server supporting some PSK key exchange mode. A
+ malicious client could cause information disclosure or a denial of service.
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 887c5c6..af5e380 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -414,6 +414,10 @@
size_t psk_len;
unsigned char server_computed_binder[PSA_HASH_MAX_SIZE];
+ if (binder_len != PSA_HASH_LENGTH(psk_hash_alg)) {
+ return SSL_TLS1_3_BINDER_DOES_NOT_MATCH;
+ }
+
/* Get current state of handshake transcript. */
ret = mbedtls_ssl_get_handshake_transcript(
ssl, mbedtls_md_type_from_psa_alg(psk_hash_alg),
@@ -443,7 +447,9 @@
server_computed_binder, transcript_len);
MBEDTLS_SSL_DEBUG_BUF(3, "psk binder ( received ): ", binder, binder_len);
- if (mbedtls_ct_memcmp(server_computed_binder, binder, binder_len) == 0) {
+ if (mbedtls_ct_memcmp(server_computed_binder,
+ binder,
+ PSA_HASH_LENGTH(psk_hash_alg)) == 0) {
return SSL_TLS1_3_BINDER_MATCH;
}