Merge pull request #972 from ronald-cron-arm/buffer-overflow-in-cid-fix Fix in_cid buffer size in transform structure

commit: b7805b0a6712c97dddbede93e2eb8ba5f477beb3 [log] [tgz]
author: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Fri Nov 18 09:48:12 2022 +0100
committer: GitHub <noreply@github.com> Fri Nov 18 09:48:12 2022 +0100
tree: a30df982b0e72924878179b7e7c602a8ea99f8f8
parent: faefe6201395780736afaa6b7ba138f1d1295b89 [diff]
parent: 5dc7999946f302afd392fc15e999b8313e72d2e9 [diff]
diff --git a/ChangeLog.d/fix-in-cid-buffer-size.txt b/ChangeLog.d/fix-in-cid-buffer-size.txt
new file mode 100644
index 0000000..8a6c850
--- /dev/null
+++ b/ChangeLog.d/fix-in-cid-buffer-size.txt

@@ -0,0 +1,4 @@
+Security
+    * Fix potential heap buffer overread and overwrite in DTLS if
+      MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
+      MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX.

diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 41bb9c5..72bf096 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h

@@ -1021,7 +1021,7 @@
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
     uint8_t in_cid_len;
     uint8_t out_cid_len;
-    unsigned char in_cid [ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
+    unsigned char in_cid [ MBEDTLS_SSL_CID_IN_LEN_MAX ];
     unsigned char out_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
commit	b7805b0a6712c97dddbede93e2eb8ba5f477beb3	[log] [tgz]
author	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Fri Nov 18 09:48:12 2022 +0100
committer	GitHub <noreply@github.com>	Fri Nov 18 09:48:12 2022 +0100
tree	a30df982b0e72924878179b7e7c602a8ea99f8f8
parent	faefe6201395780736afaa6b7ba138f1d1295b89 [diff]
parent	5dc7999946f302afd392fc15e999b8313e72d2e9 [diff]