Fix unsafe bounds checks in ssl_load_session() Fixes #659 reported by Guido Vranken.

commit: ac52b6061d25c306ae0100ebe834539c5e2ab909 [log] [tgz]
author: Hanno Becker <hanno.becker@arm.com> Wed Oct 24 13:33:02 2018 +0100
committer: Hanno Becker <hanno.becker@arm.com> Fri Oct 26 10:09:33 2018 +0100
tree: 873d9e0ad29569d77fd2f25cc361cbdd11f86319
parent: e2e2b9ea8b9424dd8ac28f5370c5adef5675dcf2 [diff] [blame]
diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c
index 45cb6a4..d24f322 100644
--- a/library/ssl_ticket.c
+++ b/library/ssl_ticket.c

@@ -219,14 +219,14 @@
     size_t cert_len;
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
-    if( p + sizeof( mbedtls_ssl_session ) > end )
+    if( sizeof( mbedtls_ssl_session ) > (size_t)( end - p ) )
         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
 
     memcpy( session, p, sizeof( mbedtls_ssl_session ) );
     p += sizeof( mbedtls_ssl_session );
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
-    if( p + 3 > end )
+    if( 3 > (size_t)( end - p ) )
         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
 
     cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
@@ -240,7 +240,7 @@
     {
         int ret;
 
-        if( p + cert_len > end )
+        if( cert_len > (size_t)( end - p ) )
             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
 
         session->peer_cert = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
commit	ac52b6061d25c306ae0100ebe834539c5e2ab909	[log] [tgz]
author	Hanno Becker <hanno.becker@arm.com>	Wed Oct 24 13:33:02 2018 +0100
committer	Hanno Becker <hanno.becker@arm.com>	Fri Oct 26 10:09:33 2018 +0100
tree	873d9e0ad29569d77fd2f25cc361cbdd11f86319
parent	e2e2b9ea8b9424dd8ac28f5370c5adef5675dcf2 [diff] [blame]