Check the server hello output buffer size when writing the use_srtp ext Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>

commit: 8f70fba988d9c25d8d461e68b2c0c9285e0bc401 [log] [tgz]
author: Johan Pascal <johan.pascal@belledonne-communications.com> Wed Sep 02 10:32:06 2020 +0200
committer: Johan Pascal <johan.pascal@belledonne-communications.com> Thu Oct 29 01:14:49 2020 +0100
tree: 77df59b4b0ddf94fd819d1236cf95695c17cd0c3
parent: 042d4568321c49ce263a298d7057591da3f577db [diff] [blame]
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 270700f..d070505 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c

@@ -2634,10 +2634,12 @@
 {
     size_t mki_len = 0, ext_len = 0;
     uint16_t profile_value = 0;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+    *olen = 0;
 
     if( ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_SRTP_UNSET_PROFILE )
     {
-        *olen = 0;
         return;
     }
 
@@ -2649,6 +2651,12 @@
         mki_len = ssl->dtls_srtp_info.mki_len;
     }
 
+    if( end < buf + mki_len + 9 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
     /* extension */
     buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP >> 8 ) & 0xFF );
     buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP      ) & 0xFF );
@@ -2671,7 +2679,7 @@
     }
     else
     {
-        *olen = 0;
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "use_srtp extension invalid profile" ) );
         return;
     }
commit	8f70fba988d9c25d8d461e68b2c0c9285e0bc401	[log] [tgz]
author	Johan Pascal <johan.pascal@belledonne-communications.com>	Wed Sep 02 10:32:06 2020 +0200
committer	Johan Pascal <johan.pascal@belledonne-communications.com>	Thu Oct 29 01:14:49 2020 +0100
tree	77df59b4b0ddf94fd819d1236cf95695c17cd0c3
parent	042d4568321c49ce263a298d7057591da3f577db [diff] [blame]