Skip to content

Commit

Permalink
Simplify bounds check in ssl_write_certificate_request
Browse files Browse the repository at this point in the history
It is sufficient to check for the strongest limit only. Using a smaller
type ensures there is no overflow (assuming size_t is at least 32 bits).

Fixes Mbed-TLS#2916

Signed-off-by: irwir <[email protected]>
  • Loading branch information
irwir committed Apr 21, 2020
1 parent 65cc9a2 commit c9bc300
Showing 1 changed file with 5 additions and 5 deletions.
10 changes: 5 additions & 5 deletions library/ssl_srv.c
Original file line number Diff line number Diff line change
Expand Up @@ -2841,7 +2841,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
ssl->handshake->ciphersuite_info;
size_t dn_size, total_dn_size; /* excluding length bytes */
uint16_t dn_size, total_dn_size; /* excluding length bytes */
size_t ct_len, sa_len; /* including length bytes */
unsigned char *buf, *p;
const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Expand Down Expand Up @@ -2969,11 +2969,11 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )

while( crt != NULL && crt->version != 0 )
{
dn_size = crt->subject_raw.len;
/* It follows from RFC 5280 A.1 that this length
* can be represented in at most 11 bits. */
dn_size = (uint16_t) crt->subject_raw.len;

if( end < p ||
(size_t)( end - p ) < dn_size ||
(size_t)( end - p ) < 2 + dn_size )
if( end < p || (size_t)( end - p ) < 2 + (size_t) dn_size )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
break;
Expand Down

0 comments on commit c9bc300

Please sign in to comment.