From 668b31f210356ef26b1ca26bced775b3d36f63f9 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Fri, 10 Jun 2022 14:11:31 +0100
Subject: [PATCH] Fix the wrong variable being used for TLS record size checks

Fix an issue whereby a variable was used to check the size of incoming
TLS records against the configured maximum prior to it being set to the
right value.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 ChangeLog.d/fix_tls_record_size_check.txt | 4 ++++
 library/ssl_msg.c                         | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)
 create mode 100644 ChangeLog.d/fix_tls_record_size_check.txt

diff --git a/ChangeLog.d/fix_tls_record_size_check.txt b/ChangeLog.d/fix_tls_record_size_check.txt
new file mode 100644
index 000000000..13d452d61
--- /dev/null
+++ b/ChangeLog.d/fix_tls_record_size_check.txt
@@ -0,0 +1,4 @@
+Bugfix
+   * Fix record sizes larger than 16384 being sometimes accepted despite being
+     non-compliant. This could not lead to a buffer overflow. In particular,
+     application data size was already checked correctly.
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 083c8d2e6..0b31a3bff 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -3757,7 +3757,7 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl,
 
     /* Check actual (decrypted) record content length against
      * configured maximum. */
-    if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
+    if( rec->data_len > MBEDTLS_SSL_IN_CONTENT_LEN )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
         return( MBEDTLS_ERR_SSL_INVALID_RECORD );