Add missing sid_len in calculations of cookie sizes
This could lead to a potential buffer overread with small
MBEDTLS_SSL_IN_CONTENT_LEN.
Change the bound calculations so that it is apparent
what lengths and sizes are used.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index a77a1a8..da4dbc7 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -3205,7 +3205,7 @@
}
sid_len = in[59];
- if( sid_len > in_len - 61 )
+ if( 59 + 1 + sid_len + 1 > in_len )
{
MBEDTLS_SSL_DEBUG_MSG( 4, ( "check cookie: sid_len=%u > %u",
(unsigned) sid_len,
@@ -3216,10 +3216,11 @@
in + 60, sid_len );
cookie_len = in[60 + sid_len];
- if( cookie_len > in_len - 60 ) {
+ if( 59 + 1 + sid_len + 1 + cookie_len > in_len )
+ {
MBEDTLS_SSL_DEBUG_MSG( 4, ( "check cookie: cookie_len=%u > %u",
(unsigned) cookie_len,
- (unsigned) in_len - 60 ) );
+ (unsigned) ( in_len - sid_len - 61 ) ) );
return( MBEDTLS_ERR_SSL_DECODE_ERROR );
}