Backport 2.1:Add guard to out_left to avoid negative values

return error when f_send return a value greater than out_left
2025-04-20 16:32:28 +00:00 · 2018-02-22 04:29:04 -08:00 · 2018-02-22 04:29:04 -08:00 · f65add4f60
parent ac33180219
commit f65add4f60
2 changed files with 12 additions and 0 deletions
--- a/6
+++ b/6
@ -11,8 +11,14 @@ Bugfix
     with flag MBEDTLS_X509_BADCERT_BAD_PK even when the key type was correct.
     In the context of SSL, this resulted in handshake failure. #1351

+Changes
+   * Add guard to validate that out_left can not be negative. Raised by 
+     samoconnor in #1245.
+
+
 = mbed TLS 2.1.10 branch released 2018-02-03

+
 Security
   * Fix a heap corruption issue in the implementation of the truncated HMAC
     extension. When the truncated HMAC extension is enabled and CBC is used,
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -2449,6 +2449,12 @@ int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
        if( ret <= 0 )
            return( ret );

+        if( (size_t)ret > ssl->out_left )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "f_send returned value greater than out left size" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
        ssl->out_left -= ret;
    }