commit 3cae167e6ac2b2d1aec5ca070c4cab62c6af994b
author Neil Armstrong <narmstrong@baylibre.com> Tue Apr 05 10:01:15 2022 +0200
committer Neil Armstrong <narmstrong@baylibre.com> Tue Apr 05 10:29:53 2022 +0200
tree eb0ed9344176a5da760736df1e908ff6a79d32e5
parent e18ff952a7ce75b462be180e38b3be070a5efd4f

Check buffer pointers before storing peer's public key in ECHDE-PSK PSA version of ssl_parse_client_key_exchange()

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>

library/ssl_tls12_server.c

diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index bfd8fd3..d9a29dc 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -4057,8 +4057,15 @@
         }
 
         /* Keep a copy of the peer's public key */
+        if( p >= end )
+        {
+            psa_destroy_key( handshake->ecdh_psa_privkey );
+            handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
+            return( MBEDTLS_ERR_SSL_DECODE_ERROR );
+        }
+
         ecpoint_len = *(p++);
-        if( (size_t)( end - *p ) < ecpoint_len ) {
+        if( (size_t)( end - p ) < ecpoint_len ) {
             psa_destroy_key( handshake->ecdh_psa_privkey );
             handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
             return( MBEDTLS_ERR_SSL_DECODE_ERROR );