Fix possible buffer overflow with PSK

commit: b2bf5a1bbbf3652881ed55181d1f68dc6ea75dfe [log] [tgz]
author: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Tue Mar 25 16:28:12 2014 +0100
committer: Paul Bakker <p.j.bakker@polarssl.org> Wed Mar 26 12:58:50 2014 +0100
tree: 1fc0e4a87ca0230b25845839f59d2d0decf48fea
parent: fdddac90a6f3b0580d0636d1a57ceba4fc2988cb [diff] [blame]
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 3fd6e34..8c60428 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c

@@ -916,6 +916,9 @@
     }
 
     /* opaque psk<0..2^16-1>; */
+    if( end - p < 2 + (int) ssl->psk_len )
+            return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
+
     *(p++) = (unsigned char)( ssl->psk_len >> 8 );
     *(p++) = (unsigned char)( ssl->psk_len      );
     memcpy( p, ssl->psk, ssl->psk_len );
@@ -3784,6 +3787,14 @@
     if( psk == NULL || psk_identity == NULL )
         return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
 
+    /*
+     * The length will be check later anyway, but in case it is obviously
+     * too large, better abort now. The PMS is as follows:
+     * other_len (2 bytes) + other + psk_len (2 bytes) + psk
+     */
+    if( psk_len + 4 > POLARSSL_PREMASTER_SIZE )
+        return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
+
     if( ssl->psk != NULL )
     {
         polarssl_free( ssl->psk );
commit	b2bf5a1bbbf3652881ed55181d1f68dc6ea75dfe	[log] [tgz]
author	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Tue Mar 25 16:28:12 2014 +0100
committer	Paul Bakker <p.j.bakker@polarssl.org>	Wed Mar 26 12:58:50 2014 +0100
tree	1fc0e4a87ca0230b25845839f59d2d0decf48fea
parent	fdddac90a6f3b0580d0636d1a57ceba4fc2988cb [diff] [blame]