From 6085c721d2fa0a8b0e38fc5ce9d0735232fe1cae Mon Sep 17 00:00:00 2001
From: mohammad1603 <mohammad.abomokh@arm.com>
Date: Thu, 22 Feb 2018 04:29:04 -0800
Subject: [PATCH 1/5] Backport 2.7:Add guard to out_left to avoid negative
 values

Add guard to out_left to avoid negative values
---
 ChangeLog         | 2 ++
 library/ssl_tls.c | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 09bb3cb03..2deaafb34 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -33,6 +33,8 @@ Changes
    * Fix typo in a comment ctr_drbg.c. Contributed by Paul Sokolovsky.
    * MD functions deprecated in 2.7.0 are no longer inline, to provide
      a migration path for those depending on the library's ABI.
+   * Add guard to validate that out_left can not be negative. Raised by 
+     samoconnor in #1245.
 
 = mbed TLS 2.7.0 branch released 2018-02-03
 
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index ff52104ff..027fdd259 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2481,6 +2481,12 @@ int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
         if( ret <= 0 )
             return( ret );
 
+        if( (size_t)ret > ssl->out_left )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "f_send returned value greater than out left size" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
         ssl->out_left -= ret;
     }
 

From b11af86daff1e68dff8118b8f33f1b5a2a01841f Mon Sep 17 00:00:00 2001
From: mohammad1603 <mohammad.abomokh@arm.com>
Date: Mon, 19 Mar 2018 07:18:13 -0700
Subject: [PATCH 2/5] Avoid wraparound on in_left

Avoid wraparound on in_left
---
 library/ssl_tls.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 027fdd259..b91577601 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2434,6 +2434,14 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
             if( ret < 0 )
                 return( ret );
 
+            // At this point ret value is positive, verify that adding ret 
+            // value to ssl->in_left doesn't cause a wraparound
+            if (ssl->in_left + (size_t)ret < ssl->in_left)
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "wraparound happened over in_left value" ) );
+                return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+            }
+
             ssl->in_left += ret;
         }
     }

From 2ea2d686e20d7f29cf0f72f97a5ad3ee808d300a Mon Sep 17 00:00:00 2001
From: mohammad1603 <mohammad.abomokh@arm.com>
Date: Thu, 22 Mar 2018 02:40:43 -0700
Subject: [PATCH 3/5] Verify that f_send and f_recv send and receive the
 expected length

Verify that f_send and f_recv send and receive the expected length

Conflicts:
	ChangeLog
---
 ChangeLog         |  5 +++--
 library/ssl_tls.c | 12 +++++++-----
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 2deaafb34..3ebae33af 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -33,8 +33,9 @@ Changes
    * Fix typo in a comment ctr_drbg.c. Contributed by Paul Sokolovsky.
    * MD functions deprecated in 2.7.0 are no longer inline, to provide
      a migration path for those depending on the library's ABI.
-   * Add guard to validate that out_left can not be negative. Raised by 
-     samoconnor in #1245.
+   * Verify that when (f_send, f_recv and f_recv_timeout) send or receive 
+     more than the required length an error is returned. Raised by 
+     Sam O'Connor in #1245.
 
 = mbed TLS 2.7.0 branch released 2018-02-03
 
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index b91577601..b3fb95c50 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2434,11 +2434,11 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
             if( ret < 0 )
                 return( ret );
 
-            // At this point ret value is positive, verify that adding ret 
-            // value to ssl->in_left doesn't cause a wraparound
-            if (ssl->in_left + (size_t)ret < ssl->in_left)
+            if ( (size_t)ret > len )
             {
-                MBEDTLS_SSL_DEBUG_MSG( 1, ( "wraparound happened over in_left value" ) );
+                MBEDTLS_SSL_DEBUG_MSG( 1, 
+                    ( "f_recv returned %d bytes but only %zu were requested", 
+                    ret, len ) );
                 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
             }
 
@@ -2491,7 +2491,9 @@ int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
 
         if( (size_t)ret > ssl->out_left )
         {
-            MBEDTLS_SSL_DEBUG_MSG( 1, ( "f_send returned value greater than out left size" ) );
+            MBEDTLS_SSL_DEBUG_MSG( 1, 
+                ( "f_send returned %d bytes but only %zu bytes were sent", 
+                ret, ssl->out_left ) );
             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
         }
 

From 44a6a688c893e3356e6413a87c66bb75de7df248 Mon Sep 17 00:00:00 2001
From: mohammad1603 <mohammad.abomokh@arm.com>
Date: Wed, 28 Mar 2018 23:45:33 -0700
Subject: [PATCH 4/5] Check whether INT_MAX larger than SIZE_MAX scenario

Check whether INT_MAX larger than SIZE_MAX scenario
---
 library/ssl_tls.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index b3fb95c50..4f7f99216 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2434,7 +2434,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
             if( ret < 0 )
                 return( ret );
 
-            if ( (size_t)ret > len )
+            if ( (size_t)ret > len || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
             {
                 MBEDTLS_SSL_DEBUG_MSG( 1, 
                     ( "f_recv returned %d bytes but only %zu were requested", 
@@ -2489,7 +2489,7 @@ int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
         if( ret <= 0 )
             return( ret );
 
-        if( (size_t)ret > ssl->out_left )
+        if( (size_t)ret > ssl->out_left || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
         {
             MBEDTLS_SSL_DEBUG_MSG( 1, 
                 ( "f_send returned %d bytes but only %zu bytes were sent", 

From 29ed80f79ff5d0fa82a926f9b6d4966021ba06f8 Mon Sep 17 00:00:00 2001
From: mohammad1603 <mohammad.abomokh@arm.com>
Date: Mon, 2 Apr 2018 07:34:26 -0700
Subject: [PATCH 5/5] Fix compatibility problem in the printed message

Replace %zu with %lu and add cast for the printed value.
---
 library/ssl_tls.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 4f7f99216..9471bf351 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2437,8 +2437,8 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
             if ( (size_t)ret > len || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
             {
                 MBEDTLS_SSL_DEBUG_MSG( 1, 
-                    ( "f_recv returned %d bytes but only %zu were requested", 
-                    ret, len ) );
+                    ( "f_recv returned %d bytes but only %lu were requested", 
+                    ret, (unsigned long)len ) );
                 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
             }
 
@@ -2492,8 +2492,8 @@ int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
         if( (size_t)ret > ssl->out_left || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
         {
             MBEDTLS_SSL_DEBUG_MSG( 1, 
-                ( "f_send returned %d bytes but only %zu bytes were sent", 
-                ret, ssl->out_left ) );
+                ( "f_send returned %d bytes but only %lu bytes were sent", 
+                ret, (unsigned long)ssl->out_left ) );
             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
         }