Add record size checking during handshake

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2023-12-05 20:08:51 +00:00 · 2023-12-05 20:08:51 +00:00 · 9aec1c71f2
commit 9aec1c71f2
parent f482dcc6c7
6 changed files with 79 additions and 58 deletions
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@ -917,6 +917,7 @@ int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
 #endif
    size_t add_data_len;
    size_t post_avail;
+    int max_out_record_len = mbedtls_ssl_get_max_out_record_payload(ssl);

    /* The SSL context is only used for debugging purposes! */
 #if !defined(MBEDTLS_DEBUG_C)
@ -957,11 +958,11 @@ int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
    MBEDTLS_SSL_DEBUG_BUF(4, "before encrypt: output payload",
                          data, rec->data_len);

-    if (rec->data_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
+    if (rec->data_len > (size_t) max_out_record_len) {
        MBEDTLS_SSL_DEBUG_MSG(1, ("Record content %" MBEDTLS_PRINTF_SIZET
                                  " too large, maximum %" MBEDTLS_PRINTF_SIZET,
                                  rec->data_len,
-                                  (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN));
+                                  (size_t) max_out_record_len));
        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
    }

@ -2742,7 +2743,7 @@ int mbedtls_ssl_start_handshake_msg(mbedtls_ssl_context *ssl, unsigned char hs_t
     *    ...
     */
    *buf = ssl->out_msg + 4;
-    *buf_len = MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
+    *buf_len = mbedtls_ssl_get_max_out_record_payload(ssl) - 4;

    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
    ssl->out_msg[0]  = hs_type;
@ -2779,6 +2780,7 @@ int mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl,
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
    const size_t hs_len = ssl->out_msglen - 4;
    const unsigned char hs_type = ssl->out_msg[0];
+    int max_out_record_len = mbedtls_ssl_get_max_out_record_payload(ssl);

    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write handshake message"));

@ -2817,12 +2819,12 @@ int mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl,
     *
     * Note: We deliberately do not check for the MTU or MFL here.
     */
-    if (ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN) {
+    if (ssl->out_msglen > (size_t) max_out_record_len) {
        MBEDTLS_SSL_DEBUG_MSG(1, ("Record too large: "
                                  "size %" MBEDTLS_PRINTF_SIZET
                                  ", maximum %" MBEDTLS_PRINTF_SIZET,
                                  ssl->out_msglen,
-                                  (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN));
+                                  (size_t) max_out_record_len));
        return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
    }