Check the server hello output buffer size when writing the use_srtp ext

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
This commit is contained in:
Johan Pascal 2020-09-02 10:32:06 +02:00
parent 042d456832
commit 8f70fba988

View file

@ -2634,10 +2634,12 @@ static void ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
{ {
size_t mki_len = 0, ext_len = 0; size_t mki_len = 0, ext_len = 0;
uint16_t profile_value = 0; uint16_t profile_value = 0;
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
*olen = 0;
if( ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_SRTP_UNSET_PROFILE ) if( ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_SRTP_UNSET_PROFILE )
{ {
*olen = 0;
return; return;
} }
@ -2649,6 +2651,12 @@ static void ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
mki_len = ssl->dtls_srtp_info.mki_len; mki_len = ssl->dtls_srtp_info.mki_len;
} }
if( end < buf + mki_len + 9 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
return;
}
/* extension */ /* extension */
buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP >> 8 ) & 0xFF ); buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP >> 8 ) & 0xFF );
buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP ) & 0xFF ); buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP ) & 0xFF );
@ -2671,7 +2679,7 @@ static void ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
} }
else else
{ {
*olen = 0; MBEDTLS_SSL_DEBUG_MSG( 1, ( "use_srtp extension invalid profile" ) );
return; return;
} }