Google Git
Sign in
pigweed / third_party / github / ARMmbed / mbedtls / 452d53295599c310a64d4dcaa8f8ebefdbcae78c^! / .
commit452d53295599c310a64d4dcaa8f8ebefdbcae78c[log] [tgz]
authorPaul Bakker <p.j.bakker@polarssl.org>Thu Apr 05 12:07:34 2012 +0000
committerPaul Bakker <p.j.bakker@polarssl.org>Thu Apr 05 12:07:34 2012 +0000
tree28df5a3617c459ca388925c6e82cbb9fed555cff
parent61264817960d0eae6e08d7d8dc2b55dbfa0788af [diff]
 - Fixed potential memory corruption on miscrafted client messages (found by Frama-C team at CEA LIST)


diff --git a/ChangeLog b/ChangeLog
index 5849ceb..dd07b0c 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -22,6 +22,10 @@
    * Fixed handling error in mpi_cmp_mpi() on longer B values (found by
      Hui Dong)
 
+Security
+   * Fixed potential memory corruption on miscrafted client messages (found by
+     Frama-C team at CEA LIST)
+
 = Version 1.1.1 released on 2012-01-23
 Bugfix
    * Check for failed malloc() in ssl_set_hostname() and x509_get_entries()

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index bbe8388..64012e5 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c

@@ -880,6 +880,13 @@
     /*
      * Always compute the MAC (RFC4346, CBCTIME).
      */
+    if( ssl->in_msglen <= ssl->maclen + padlen )
+    {
+        SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
+                    ssl->in_msglen, ssl->maclen, padlen ) );
+        return( POLARSSL_ERR_SSL_INVALID_MAC );
+    }
+
     ssl->in_msglen -= ( ssl->maclen + padlen );
 
     ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );