Fixed potential overflow in certificate size in ssl_write_certificate()

commit: 6992eb762cd7364208acb68abfe5391aa2d0322d [log] [tgz]
author: Paul Bakker <p.j.bakker@polarssl.org> Tue Dec 31 11:35:16 2013 +0100
committer: Paul Bakker <p.j.bakker@polarssl.org> Tue Dec 31 11:38:33 2013 +0100
tree: f40269966b45ef5cb95254913917a44f801c058d
parent: 6ea1a95ce831f66793f5db99dbb36e5a11a62618 [diff]
diff --git a/ChangeLog b/ChangeLog
index 3617915..506d96a 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -32,6 +32,8 @@
    * Fixed x509_crt_parse_path() bug on Windows platforms
    * Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by
      TrustInSoft)
+   * Fixed potential overflow in certificate size verification in
+     ssl_write_certificate() (found by TrustInSoft)
 
 Security
    * Possible remotely-triggered out-of-bounds memory access fixed (found by

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 6ea2821..e738028 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c

@@ -2453,7 +2453,7 @@
     while( crt != NULL )
     {
         n = crt->raw.len;
-        if( i + 3 + n > SSL_MAX_CONTENT_LEN )
+        if( n > SSL_MAX_CONTENT_LEN - 3 - i )
         {
             SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
                            i + 3 + n, SSL_MAX_CONTENT_LEN ) );
commit	6992eb762cd7364208acb68abfe5391aa2d0322d	[log] [tgz]
author	Paul Bakker <p.j.bakker@polarssl.org>	Tue Dec 31 11:35:16 2013 +0100
committer	Paul Bakker <p.j.bakker@polarssl.org>	Tue Dec 31 11:38:33 2013 +0100
tree	f40269966b45ef5cb95254913917a44f801c058d
parent	6ea1a95ce831f66793f5db99dbb36e5a11a62618 [diff]