commit 52754594b6729c8bc6d1c25a2335949e74b81ed4
author Simon Butcher <simon.butcher@arm.com> Thu Sep 03 13:06:01 2015 +0100
committer Simon Butcher <simon.butcher@arm.com> Thu Sep 03 13:06:01 2015 +0100
tree 0588ac8644420617fb26b7f1e42b706ec5e106b8
parent b2beb84be6837ab88a94b6ac5f54eb8a17e3349e

Merging iotssl-457-badtail with development branch

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 9007562..bff1b63 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -694,8 +694,6 @@
     }
     else
     {
-        int ret;
-
         /* Initialize HMAC contexts */
         if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 ||
             ( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 )
@@ -1455,7 +1453,7 @@
             /*
              * Generate IV
              */
-            int ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->transform_out->iv_enc,
+            ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->transform_out->iv_enc,
                                   ssl->transform_out->ivlen );
             if( ret != 0 )
                 return( ret );
@@ -3718,6 +3716,9 @@
 {
     int ret;
 
+    if( ssl == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
 
     ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
@@ -5459,6 +5460,13 @@
     if( psk_len > MBEDTLS_PSK_MAX_LEN )
         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
 
+    /* Identity len will be encoded on two bytes */
+    if( ( psk_identity_len >> 16 ) != 0 ||
+        psk_identity_len > MBEDTLS_SSL_MAX_CONTENT_LEN )
+    {
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
     if( conf->psk != NULL || conf->psk_identity != NULL )
     {
         mbedtls_free( conf->psk );
@@ -5862,6 +5870,29 @@
     return( (int)( mbedtls_ssl_hdr_len( ssl ) + transform_expansion ) );
 }
 
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl )
+{
+    size_t max_len;
+
+    /*
+     * Assume mfl_code is correct since it was checked when set
+     */
+    max_len = mfl_code_to_length[ssl->conf->mfl_code];
+
+    /*
+     * Check if a smaller max length was negotiated
+     */
+    if( ssl->session_out != NULL &&
+        mfl_code_to_length[ssl->session_out->mfl_code] < max_len )
+    {
+        max_len = mfl_code_to_length[ssl->session_out->mfl_code];
+    }
+
+    return max_len;
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
 const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl )
 {
@@ -5894,6 +5925,9 @@
 {
     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
 
+    if( ssl == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
 #if defined(MBEDTLS_SSL_CLI_C)
     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
         ret = mbedtls_ssl_handshake_client_step( ssl );
@@ -5913,6 +5947,9 @@
 {
     int ret = 0;
 
+    if( ssl == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
 
     while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
@@ -6008,6 +6045,9 @@
 {
     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
 
+    if( ssl == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
 #if defined(MBEDTLS_SSL_SRV_C)
     /* On server, just send the request */
     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
@@ -6085,6 +6125,9 @@
     int ret, record_read = 0;
     size_t n;
 
+    if( ssl == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) );
 
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
@@ -6339,23 +6382,7 @@
 {
     int ret;
 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
-    unsigned int max_len;
-#endif
-
-#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
-    /*
-     * Assume mfl_code is correct since it was checked when set
-     */
-    max_len = mfl_code_to_length[ssl->conf->mfl_code];
-
-    /*
-     * Check if a smaller max length was negotiated
-     */
-    if( ssl->session_out != NULL &&
-        mfl_code_to_length[ssl->session_out->mfl_code] < max_len )
-    {
-        max_len = mfl_code_to_length[ssl->session_out->mfl_code];
-    }
+    size_t max_len = mbedtls_ssl_get_max_frag_len( ssl );
 
     if( len > max_len )
     {
@@ -6444,6 +6471,9 @@
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) );
 
+    if( ssl == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
 #if defined(MBEDTLS_SSL_RENEGOTIATION)
     if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
     {
@@ -6479,6 +6509,9 @@
 {
     int ret;
 
+    if( ssl == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
 
     if( ssl->out_left != 0 )