commit 747fd539380ed5d37e0927b4d2fb5326f2aca104
author Philippe Antoine <contact@catenacyber.fr> Wed May 30 09:13:21 2018 +0200
committer Philippe Antoine <contact@catenacyber.fr> Tue Jun 05 16:13:10 2018 +0200
tree 78223885434a411899d98da9123fdf0a7339b7d4
parent 10438e17fc2e03c7da449d0d6aea20454c4202e2

Fixes different off by ones

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index e8e0cd8..b8b8df2 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1151,6 +1151,9 @@
          * other_secret already set by the ClientKeyExchange message,
          * and is 48 bytes long
          */
+        if( end - p < 2 )
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
         *p++ = 0;
         *p++ = 48;
         p += 48;
@@ -4528,6 +4531,12 @@
 
     while( i < ssl->in_hslen )
     {
+        if ( i + 3 > ssl->in_hslen ) {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                           MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
+        }
         if( ssl->in_msg[i] != 0 )
         {
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );