commit bbc7918b6b8e18184328ce2a10bdf5c78d1332a9
author Philippe Antoine <contact@catenacyber.fr> Wed May 30 09:13:21 2018 +0200
committer Philippe Antoine <contact@catenacyber.fr> Mon Jul 09 10:33:08 2018 +0200
tree 4f14cb47369f75729eb734884ad608190aa87a36
parent b461ba5630d1acf0ac4ee4df17f192c795395763

Fixes different off by ones

library/ssl_cli.c

diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index d3a8ecf..344f248 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -1141,12 +1141,12 @@
     size_t list_size;
     const unsigned char *p;
 
-    list_size = buf[0];
-    if( list_size + 1 != len )
+    if( len == 0 || (size_t)( buf[0] + 1 ) != len )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
         return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
     }
+    list_size = buf[0];
 
     p = buf + 1;
     while( list_size > 0 )
@@ -2494,7 +2494,7 @@
      * therefore the buffer length at this point must be greater than that
      * regardless of the actual code path.
      */
-    if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
+    if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
         return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );