Fix possible buffer overflow with PSK
This commit is contained in:
Manuel Pégourié-Gonnard
Paul Bakker
parent
fdddac90a6
commit
b2bf5a1bbb
3 changed files with 14 additions and 2 deletions
library
|
|
@ -916,6 +916,9 @@ int ssl_psk_derive_premaster( ssl_context *ssl, key_exchange_type_t key_ex )
|
|||
}
|
||||
|
||||
/* opaque psk<0..2^16-1>; */
|
||||
if( end - p < 2 + (int) ssl->psk_len )
|
||||
return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
|
||||
|
||||
*(p++) = (unsigned char)( ssl->psk_len >> 8 );
|
||||
*(p++) = (unsigned char)( ssl->psk_len );
|
||||
memcpy( p, ssl->psk, ssl->psk_len );
|
||||
|
|
@ -3784,6 +3787,14 @@ int ssl_set_psk( ssl_context *ssl, const unsigned char *psk, size_t psk_len,
|
|||
if( psk == NULL || psk_identity == NULL )
|
||||
return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
|
||||
|
||||
/*
|
||||
* The length will be check later anyway, but in case it is obviously
|
||||
* too large, better abort now. The PMS is as follows:
|
||||
* other_len (2 bytes) + other + psk_len (2 bytes) + psk
|
||||
*/
|
||||
if( psk_len + 4 > POLARSSL_PREMASTER_SIZE )
|
||||
return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
|
||||
|
||||
if( ssl->psk != NULL )
|
||||
{
|
||||
polarssl_free( ssl->psk );
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue