From ae48d86cb166e42986d52b7a8aabf158f69c5f16 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
 <manuel.pegourie-gonnard@arm.com>
Date: Fri, 3 Jan 2020 12:18:49 +0100
Subject: [PATCH] Fix bug in record decompression

ssl_decompress_buf() was operating on data from the ssl context, but called at
a point where this data is actually in the rec structure. Call it later so
that the data is back to the ssl structure.

Signed-off-by: Simon Butcher <simon.butcher@arm.com>
---
 library/ssl_tls.c | 34 +++++++++++++++++++++-------------
 1 file changed, 21 insertions(+), 13 deletions(-)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index a773c9d92..146a8f1e9 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -5587,7 +5587,7 @@ static int ssl_check_client_reconnect( mbedtls_ssl_context *ssl )
 #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
 
 /*
- * If applicable, decrypt (and decompress) record content
+ * If applicable, decrypt record content
  */
 static int ssl_prepare_record_content( mbedtls_ssl_context *ssl,
                                        mbedtls_record *rec )
@@ -5710,18 +5710,6 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl,
 
     }
 
-#if defined(MBEDTLS_ZLIB_SUPPORT)
-    if( ssl->transform_in != NULL &&
-        ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
-    {
-        if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
-        {
-            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
-            return( ret );
-        }
-    }
-#endif /* MBEDTLS_ZLIB_SUPPORT */
-
 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
     if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
     {
@@ -6609,6 +6597,26 @@ static int ssl_get_next_record( mbedtls_ssl_context *ssl )
     ssl->in_msglen = rec.data_len;
     (void)mbedtls_platform_put_uint16_be( ssl->in_len, rec.data_len );
 
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    if( ssl->transform_in != NULL &&
+        ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
+    {
+        if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
+            return( ret );
+        }
+
+        /* Check actual (decompress) record content length against
+         * configured maximum. */
+        if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+    }
+#endif /* MBEDTLS_ZLIB_SUPPORT */
+
     return( 0 );
 }