From 2ea2d686e20d7f29cf0f72f97a5ad3ee808d300a Mon Sep 17 00:00:00 2001
From: mohammad1603 <mohammad.abomokh@arm.com>
Date: Thu, 22 Mar 2018 02:40:43 -0700
Subject: [PATCH] Verify that f_send and f_recv send and receive the expected
 length

Verify that f_send and f_recv send and receive the expected length

Conflicts:
	ChangeLog
---
 ChangeLog         |  5 +++--
 library/ssl_tls.c | 12 +++++++-----
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 2deaafb34..3ebae33af 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -33,8 +33,9 @@ Changes
    * Fix typo in a comment ctr_drbg.c. Contributed by Paul Sokolovsky.
    * MD functions deprecated in 2.7.0 are no longer inline, to provide
      a migration path for those depending on the library's ABI.
-   * Add guard to validate that out_left can not be negative. Raised by 
-     samoconnor in #1245.
+   * Verify that when (f_send, f_recv and f_recv_timeout) send or receive 
+     more than the required length an error is returned. Raised by 
+     Sam O'Connor in #1245.
 
 = mbed TLS 2.7.0 branch released 2018-02-03
 
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index b91577601..b3fb95c50 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2434,11 +2434,11 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
             if( ret < 0 )
                 return( ret );
 
-            // At this point ret value is positive, verify that adding ret 
-            // value to ssl->in_left doesn't cause a wraparound
-            if (ssl->in_left + (size_t)ret < ssl->in_left)
+            if ( (size_t)ret > len )
             {
-                MBEDTLS_SSL_DEBUG_MSG( 1, ( "wraparound happened over in_left value" ) );
+                MBEDTLS_SSL_DEBUG_MSG( 1, 
+                    ( "f_recv returned %d bytes but only %zu were requested", 
+                    ret, len ) );
                 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
             }
 
@@ -2491,7 +2491,9 @@ int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
 
         if( (size_t)ret > ssl->out_left )
         {
-            MBEDTLS_SSL_DEBUG_MSG( 1, ( "f_send returned value greater than out left size" ) );
+            MBEDTLS_SSL_DEBUG_MSG( 1, 
+                ( "f_send returned %d bytes but only %zu bytes were sent", 
+                ret, ssl->out_left ) );
             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
         }