From 6085c721d2fa0a8b0e38fc5ce9d0735232fe1cae Mon Sep 17 00:00:00 2001 From: mohammad1603 Date: Thu, 22 Feb 2018 04:29:04 -0800 Subject: [PATCH] Backport 2.7:Add guard to out_left to avoid negative values Add guard to out_left to avoid negative values --- ChangeLog | 2 ++ library/ssl_tls.c | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/ChangeLog b/ChangeLog index 09bb3cb03..2deaafb34 100644 --- a/ChangeLog +++ b/ChangeLog @@ -33,6 +33,8 @@ Changes * Fix typo in a comment ctr_drbg.c. Contributed by Paul Sokolovsky. * MD functions deprecated in 2.7.0 are no longer inline, to provide a migration path for those depending on the library's ABI. + * Add guard to validate that out_left can not be negative. Raised by + samoconnor in #1245. = mbed TLS 2.7.0 branch released 2018-02-03 diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ff52104ff..027fdd259 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -2481,6 +2481,12 @@ int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl ) if( ret <= 0 ) return( ret ); + if( (size_t)ret > ssl->out_left ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "f_send returned value greater than out left size" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + ssl->out_left -= ret; }