From 3d8663b4f97dfefc0f695bf30943b19c22be8bff Mon Sep 17 00:00:00 2001
From: Krzysztof Stachowiak <krzysiek.stachowiak@gmail.com>
Date: Tue, 20 Mar 2018 11:19:50 +0100
Subject: [PATCH] Correct buffer size check

Further in the code the next field from the binary buffer is read. The
check contained an off by one error.
---
 library/ssl_cli.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 57d353ebd..a85474588 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -2675,7 +2675,17 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
     cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
     n = cert_type_len;
 
-    if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
+    /*
+     * In the subsequent code there are two paths that make read from buf:
+     *     * the length of the signature algorithms field (if minor version of
+     *       SSL is 3),
+     *     * distinguished name length otherwise.
+     * Both reach at most the index:
+     *    ...hdr_len + 2 + n,
+     * therefore the buffer length at this point must be greater than that
+     * regardless of the actual code path.
+     */
+    if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,