commit 6af2a6da74c62b8e788f40d9e377042404a6f328
author Xiaokang Qian <xiaokang.qian@arm.com> Sat Oct 08 10:50:19 2022 +0000
committer Xiaokang Qian <xiaokang.qian@arm.com> Wed Oct 12 11:03:44 2022 +0000
tree 7464fad2b48d7a83ef13dc63d20f3171913547ce
parent ecd7528c7f0973752556b6c688a4cbe3042c4754

Fix session save-load overflow issue

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index fa4e693..6a0a678 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -297,14 +297,15 @@
     }
 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
 
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
-    if( src->hostname != NULL )
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && defined(MBEDTLS_SSL_CLI_C)
+    if( src->endpoint == MBEDTLS_SSL_IS_CLIENT && src->hostname != NULL )
     {
         dst->hostname = mbedtls_calloc( 1, src->hostname_len );
         if( dst->hostname == NULL )
             return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
 
         memcpy( dst->hostname, src->hostname, src->hostname_len );
+        dst->hostname_len = src->hostname_len;
     }
 #endif
 
@@ -1945,6 +1946,7 @@
 /* Serialization of TLS 1.3 sessions:
  *
  *     struct {
+ *       opaque hostname<1..2^16-1>;
  *       uint64 ticket_received;
  *       uint32 ticket_lifetime;
  *       opaque ticket<1..2^16-1>;
@@ -1956,7 +1958,7 @@
  *       uint32 ticket_age_add;
  *       uint8 ticket_flags;
  *       opaque resumption_key<0..255>;
- *       opaque hostname<1..2^8-1>;
+ *
  *       select ( endpoint ) {
  *            case client: ClientOnlyData;
  *            case server: uint64 start_time;
@@ -2021,13 +2023,13 @@
     memcpy( p, session->resumption_key, session->resumption_key_len );
     p += session->resumption_key_len;
 
-    p[0] = session->hostname_len;
-    p++;
 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && defined(MBEDTLS_SSL_CLI_C)
-    if( session->endpoint == MBEDTLS_SSL_IS_CLIENT &&
-        session->hostname_len > 0 &&
-        session->hostname != NULL )
+    if( session->endpoint == MBEDTLS_SSL_IS_CLIENT )
     {
+        p[0] = session->hostname_len;
+        p++;
+        if ( session->hostname_len > 0 &&
+             session->hostname != NULL )
         /* save host name */
         memcpy( p, session->hostname, session->hostname_len );
         p += session->hostname_len;
@@ -2096,8 +2098,11 @@
     if( session->endpoint == MBEDTLS_SSL_IS_CLIENT )
     {
         /* load host name */
+        if( end - p < 1 )
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
         session->hostname_len = p[0];
         p += 1;
+
         if( end - p < session->hostname_len )
             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
         if( session->hostname_len > 0 )