commit a09453f495d067feb6b85f2df9400dc732a1eb78
author Gilles Peskine <Gilles.Peskine@arm.com> Wed Apr 04 09:14:12 2018 +0200
committer Gilles Peskine <Gilles.Peskine@arm.com> Wed Apr 04 09:14:12 2018 +0200
tree 08dd126edde4678a19875924585ec24b070050ad
parent 1fae860f0f02a5fe9f966c8d7d4b96d62985f6c2
parent d6953b58d74fb721edf71c825355d76d93b64129

Merge branch 'pr_1395' into development-proposed

ChangeLog

diff --git a/ChangeLog b/ChangeLog
index 2af6cf2..dbbc19c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -65,6 +65,9 @@
      environment variable when using the project makefiles.
    * Optimize unnecessary zeroing in mbedtls_mpi_copy. Based on a contribution
      by Alexey Skalozub in #405.
+   * In the SSL module, when f_send, f_recv or f_recv_timeout report
+     transmitting more than the required length, return an error. Raised by
+     Sam O'Connor in #1245.
 
 = mbed TLS 2.8.0 branch released 2018-03-16
 

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 3802e23..eabf341 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2434,6 +2434,14 @@
             if( ret < 0 )
                 return( ret );
 
+            if ( (size_t)ret > len || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, 
+                    ( "f_recv returned %d bytes but only %lu were requested", 
+                    ret, (unsigned long)len ) );
+                return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+            }
+
             ssl->in_left += ret;
         }
     }
@@ -2481,6 +2489,14 @@
         if( ret <= 0 )
             return( ret );
 
+        if( (size_t)ret > ssl->out_left || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, 
+                ( "f_send returned %d bytes but only %lu bytes were sent", 
+                ret, (unsigned long)ssl->out_left ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
         ssl->out_left -= ret;
     }