commit 9648f8b59cbea751921f5da49c5bcb8cad823b64
author Hanno Becker <hanno.becker@arm.com> Mon Sep 18 10:55:54 2017 +0100
committer Hanno Becker <hanno.becker@arm.com> Mon Sep 18 10:56:15 2017 +0100
tree c889b2f840346cc21ea416f3d52ede6effb04279
parent d33f1ca34c39cd42e11f5d0997603a291a4d08df

Add run-time check for handshake message size in ssl_write_record

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 970a043..d2ca101 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2742,6 +2742,15 @@
         if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
         {
             /* Make room for the additional DTLS fields */
+            if( MBEDTLS_SSL_MAX_CONTENT_LEN - ssl->out_msglen < 8 )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: "
+                              "size %u, maximum %u",
+                               (unsigned) ( ssl->in_hslen - 4 ),
+                               (unsigned) ( MBEDTLS_SSL_MAX_CONTENT_LEN - 12 ) ) );
+                return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+            }
+
             memmove( ssl->out_msg + 12, ssl->out_msg + 4, len - 4 );
             ssl->out_msglen += 8;
             len += 8;