Fix bounds check in ssl_parse_server_psk_hint() In the previous bounds check `(*p) > end - len`, the computation of `end - len` might underflow if `end` is within the first 64KB of the address space (note that the length `len` is controlled by the peer). In this case, the bounds check will be bypassed, leading to `*p` exceed the message bounds by up to 64KB when leaving `ssl_parse_server_psk_hint()`. In a pure PSK-based handshake, this doesn't seem to have any consequences, as `*p*` is not accessed afterwards. In a PSK-(EC)DHE handshake, however, `*p` is read from in `ssl_parse_server_ecdh_params()` and `ssl_parse_server_dh_params()` which might lead to an application crash of information leakage.
diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 8385720..b15bc51 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c
@@ -2097,7 +2097,7 @@ * * opaque psk_identity_hint<0..2^16-1>; */ - if( (*p) > end - 2 ) + if( end - (*p) < 2 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message " "(psk_identity_hint length)" ) ); @@ -2106,7 +2106,7 @@ len = (*p)[0] << 8 | (*p)[1]; *p += 2; - if( (*p) > end - len ) + if( end - (*p) < len ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message " "(psk_identity_hint length)" ) ); 