From 59be60e98b6732ca4bdafdf7b3ce553e90832f72 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 10 Jul 2019 14:53:43 +0100 Subject: [PATCH] Don't call ssl_fetch_input for record hdr size check in DTLS In DTLS, if mbedtls_ssl_fetch_input() is called multiple times without resetting the input buffer in between, the non-initial calls are functionally equivalent to mere bounds checks ensuring that the incoming datagram is large enough to hold the requested data. In the interest of code-size and modularity (removing a call to a non-const function which is logically const in this instance), this commit replaces such a call to mbedtls_ssl_fetch_input() by an explicit bounds check in ssl_parse_record_header(). --- library/ssl_tls.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 14a5a49ee..bae772a20 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4894,7 +4894,6 @@ static int ssl_check_record_type( uint8_t record_type ) static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) { int major_ver, minor_ver; - int ret; /* Parse and validate record content type and version */ @@ -4930,11 +4929,11 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) * This would fail, for example, if we received a datagram of * size 13 + n Bytes where n is less than the size of incoming CIDs. */ - ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_in_hdr_len( ssl ) ); - if( ret != 0 ) + if( ssl->in_left < mbedtls_ssl_in_hdr_len( ssl ) ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); - return( ret ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "datagram too short to contain DTLS record header including CID of length %u.", + (unsigned) mbedtls_ssl_conf_get_cid_len( ssl->conf ) ) ); + return( MBEDTLS_ERR_SSL_INVALID_RECORD ); } } else