From c6554aab3d59b0204b3a79fe4133f00778a953c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg@elzevir.fr>
Date: Fri, 23 Aug 2013 11:10:28 +0200
Subject: [PATCH] Check length of session tickets we write

---
 library/ssl_srv.c | 29 +++++++++++++++++++++++++----
 1 file changed, 25 insertions(+), 4 deletions(-)

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 0780da514..bb3fec425 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -56,16 +56,22 @@
  *
  *  Assumes ticket is NULL (always true on server side).
  */
-static void ssl_save_session( const ssl_session *session,
-                              unsigned char *buf, size_t *olen )
+static int ssl_save_session( const ssl_session *session,
+                             unsigned char *buf, size_t buf_len,
+                             size_t *olen )
 {
     unsigned char *p = buf;
+    size_t left = buf_len;
 #if defined(POLARSSL_X509_PARSE_C)
     size_t cert_len;
 #endif /* POLARSSL_X509_PARSE_C */
 
+    if( left < sizeof( ssl_session ) )
+        return( -1 );
+
     memcpy( p, session, sizeof( ssl_session ) );
     p += sizeof( ssl_session );
+    left -= sizeof( ssl_session );
 
 #if defined(POLARSSL_X509_PARSE_C)
     ((ssl_session *) buf)->peer_cert = NULL;
@@ -75,6 +81,9 @@ static void ssl_save_session( const ssl_session *session,
     else
         cert_len = session->peer_cert->raw.len;
 
+    if( left < 3 + cert_len )
+        return( -1 );
+
     *p++ = (unsigned char)( cert_len >> 16 & 0xFF );
     *p++ = (unsigned char)( cert_len >>  8 & 0xFF );
     *p++ = (unsigned char)( cert_len       & 0xFF );
@@ -86,6 +95,8 @@ static void ssl_save_session( const ssl_session *session,
 #endif /* POLARSSL_X509_PARSE_C */
 
     *olen = p - buf;
+
+    return( 0 );
 }
 
 /*
@@ -182,9 +193,19 @@ static int ssl_write_ticket( ssl_context *ssl, size_t *tlen )
     memcpy( iv, p, 16 );
     p += 16;
 
-    /* Dump session state */
+    /*
+     * Dump session state
+     *
+     * After the session state itself, we still need room for 16 bytes of
+     * padding and 32 bytes of MAC, so there's only so much room left
+     */
     state = p + 2;
-    ssl_save_session( ssl->session_negotiate, state, &clear_len );
+    if( ssl_save_session( ssl->session_negotiate, state,
+                          SSL_MAX_CONTENT_LEN - (state - ssl->out_ctr) - 48,
+                          &clear_len ) != 0 )
+    {
+        return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
+    }
     SSL_DEBUG_BUF( 3, "session ticket cleartext", state, clear_len );
 
     /* Apply PKCS padding */