Fix bounds check in ssl_parse_server_psk_hint()

In the previous bounds check `(*p) > end - len`, the computation of `end - len` might underflow if `end` is within the first 64KB of the address space (note that the length `len` is controlled by the peer). In this case, the bounds check will be bypassed, leading to `*p` exceed the message bounds by up to 64KB when leaving `ssl_parse_server_psk_hint()`. In a pure PSK-based handshake, this doesn't seem to have any consequences, as `*p*` is not accessed afterwards. In a PSK-(EC)DHE handshake, however, `*p` is read from in `ssl_parse_server_ecdh_params()` and `ssl_parse_server_dh_params()` which might lead to an application crash of information leakage.
2024-10-18 12:21:04 +00:00 · 2018-10-08 13:40:50 +01:00 · 2018-10-08 13:40:50 +01:00 · 0c161d1956
parent 0592ea772a
commit 0c161d1956
1 changed files with 2 additions and 2 deletions
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@ -2097,7 +2097,7 @@ static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
     *
     * opaque psk_identity_hint<0..2^16-1>;
     */
-    if( (*p) > end - 2 )
+    if( end - (*p) < 2 )
    {
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message "
                                    "(psk_identity_hint length)" ) );
@ -2106,7 +2106,7 @@ static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
    len = (*p)[0] << 8 | (*p)[1];
    *p += 2;

-    if( (*p) > end - len )
+    if( end - (*p) < len )
    {
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message "
                                    "(psk_identity_hint length)" ) );