Merge pull request #936 from paul-elliott-arm/fix_tls_record_size_check Fix the wrong variable being used for TLS record size checks

commit: 8b8a1610f70b9cf6f6972e3faef3021eba789b4d [log] [tgz]
author: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Fri Jul 01 12:29:48 2022 +0200
committer: GitHub <noreply@github.com> Fri Jul 01 12:29:48 2022 +0200
tree: 5374e077f928d03c0ac4e253b01cc5a92d2b548a
parent: f6a56cf5ff8289804f3a08c0c235aec1e254f2b5 [diff]
parent: 668b31f210356ef26b1ca26bced775b3d36f63f9 [diff]
diff --git a/ChangeLog.d/fix_tls_record_size_check.txt b/ChangeLog.d/fix_tls_record_size_check.txt
new file mode 100644
index 0000000..13d452d
--- /dev/null
+++ b/ChangeLog.d/fix_tls_record_size_check.txt

@@ -0,0 +1,4 @@
+Bugfix
+   * Fix record sizes larger than 16384 being sometimes accepted despite being
+     non-compliant. This could not lead to a buffer overflow. In particular,
+     application data size was already checked correctly.

diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 580a1fb..56c1f33 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c

@@ -3809,7 +3809,7 @@
 
     /* Check actual (decrypted) record content length against
      * configured maximum. */
-    if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
+    if( rec->data_len > MBEDTLS_SSL_IN_CONTENT_LEN )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
commit	8b8a1610f70b9cf6f6972e3faef3021eba789b4d	[log] [tgz]
author	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Fri Jul 01 12:29:48 2022 +0200
committer	GitHub <noreply@github.com>	Fri Jul 01 12:29:48 2022 +0200
tree	5374e077f928d03c0ac4e253b01cc5a92d2b548a
parent	f6a56cf5ff8289804f3a08c0c235aec1e254f2b5 [diff]
parent	668b31f210356ef26b1ca26bced775b3d36f63f9 [diff]