commit f472a829c65b10f4d367fcb5cef26ef059750f1b
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Tue Jan 09 10:43:43 2018 +0100
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Wed Jan 10 13:27:13 2018 +0100
tree 927c485894bb08192efb4a4205356af20a700229
parent ecd9f79edf687c84b059b5458991e9c8030fab5b

Fix heap-buffer overread in ALPN ext parsing

library/ssl_srv.c

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 90995c0..2cdf227 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -791,25 +791,33 @@
         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
 
     /*
-     * Use our order of preference
+     * Validate peer's list (lengths)
      */
     start = buf + 2;
     end = buf + len;
+    for( theirs = start; theirs != end; theirs += cur_len )
+    {
+        cur_len = *theirs++;
+
+        /* Current identifier must fit in list */
+        if( cur_len > (size_t)( end - theirs ) )
+            return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
+
+        /* Empty strings MUST NOT be included */
+        if( cur_len == 0 )
+            return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    /*
+     * Use our order of preference
+     */
     for( ours = ssl->alpn_list; *ours != NULL; ours++ )
     {
         ours_len = strlen( *ours );
         for( theirs = start; theirs != end; theirs += cur_len )
         {
-            /* If the list is well formed, we should get equality first */
-            if( theirs > end )
-                return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-
             cur_len = *theirs++;
 
-            /* Empty strings MUST NOT be included */
-            if( cur_len == 0 )
-                return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-
             if( cur_len == ours_len &&
                 memcmp( theirs, *ours, cur_len ) == 0 )
             {