commit 5ca3640fa745f73db6fd15d8512b93fb00506bec
author Manuel Pégourié-Gonnard <mpg2@elzevir.fr> Wed Oct 21 12:35:29 2015 +0200
committer Manuel Pégourié-Gonnard <mpg2@elzevir.fr> Tue Oct 27 11:47:37 2015 +0100
tree 401a498af2f382638a40699622d5685a4db06632
parent 8abc22dde5410fea5eab43544a93bda3945f275b

Fix other int casts in bounds checking

Not a security issue as here we know the buffer is large enough (unless
something else if badly wrong in the code), and the value cast to int is less
than 2^16 (again, unless issues elsewhere).

Still changing to a more correct check as a matter of principle

backport of bc5e508

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 166b116..82d0380 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -949,11 +949,16 @@
 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
     if( key_ex == POLARSSL_KEY_EXCHANGE_PSK )
     {
-        if( end - p < 2 + (int) ssl->psk_len )
+        if( end - p < 2 )
             return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
 
         *(p++) = (unsigned char)( ssl->psk_len >> 8 );
         *(p++) = (unsigned char)( ssl->psk_len      );
+
+        if( end < p || (size_t)( end - p ) < ssl->psk_len )
+            return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
+
+        memset( p, 0, ssl->psk_len );
         p += ssl->psk_len;
     }
     else
@@ -1021,11 +1026,15 @@
     }
 
     /* opaque psk<0..2^16-1>; */
-    if( end - p < 2 + (int) ssl->psk_len )
-            return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
+    if( end - p < 2 )
+        return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
 
     *(p++) = (unsigned char)( ssl->psk_len >> 8 );
     *(p++) = (unsigned char)( ssl->psk_len      );
+
+    if( end < p || (size_t)( end - p ) < ssl->psk_len )
+        return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
+
     memcpy( p, ssl->psk, ssl->psk_len );
     p += ssl->psk_len;