Fix session save-load overflow issue

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
This commit is contained in:
Xiaokang Qian 2022-10-08 10:50:19 +00:00
parent ecd7528c7f
commit 6af2a6da74

View file

@ -297,14 +297,15 @@ int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
} }
#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && defined(MBEDTLS_SSL_CLI_C)
if( src->hostname != NULL ) if( src->endpoint == MBEDTLS_SSL_IS_CLIENT && src->hostname != NULL )
{ {
dst->hostname = mbedtls_calloc( 1, src->hostname_len ); dst->hostname = mbedtls_calloc( 1, src->hostname_len );
if( dst->hostname == NULL ) if( dst->hostname == NULL )
return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
memcpy( dst->hostname, src->hostname, src->hostname_len ); memcpy( dst->hostname, src->hostname, src->hostname_len );
dst->hostname_len = src->hostname_len;
} }
#endif #endif
@ -1945,6 +1946,7 @@ mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
/* Serialization of TLS 1.3 sessions: /* Serialization of TLS 1.3 sessions:
* *
* struct { * struct {
* opaque hostname<1..2^16-1>;
* uint64 ticket_received; * uint64 ticket_received;
* uint32 ticket_lifetime; * uint32 ticket_lifetime;
* opaque ticket<1..2^16-1>; * opaque ticket<1..2^16-1>;
@ -1956,7 +1958,7 @@ mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
* uint32 ticket_age_add; * uint32 ticket_age_add;
* uint8 ticket_flags; * uint8 ticket_flags;
* opaque resumption_key<0..255>; * opaque resumption_key<0..255>;
* opaque hostname<1..2^8-1>; *
* select ( endpoint ) { * select ( endpoint ) {
* case client: ClientOnlyData; * case client: ClientOnlyData;
* case server: uint64 start_time; * case server: uint64 start_time;
@ -2021,13 +2023,13 @@ static int ssl_tls13_session_save( const mbedtls_ssl_session *session,
memcpy( p, session->resumption_key, session->resumption_key_len ); memcpy( p, session->resumption_key, session->resumption_key_len );
p += session->resumption_key_len; p += session->resumption_key_len;
p[0] = session->hostname_len;
p++;
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && defined(MBEDTLS_SSL_CLI_C) #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && defined(MBEDTLS_SSL_CLI_C)
if( session->endpoint == MBEDTLS_SSL_IS_CLIENT && if( session->endpoint == MBEDTLS_SSL_IS_CLIENT )
session->hostname_len > 0 &&
session->hostname != NULL )
{ {
p[0] = session->hostname_len;
p++;
if ( session->hostname_len > 0 &&
session->hostname != NULL )
/* save host name */ /* save host name */
memcpy( p, session->hostname, session->hostname_len ); memcpy( p, session->hostname, session->hostname_len );
p += session->hostname_len; p += session->hostname_len;
@ -2096,8 +2098,11 @@ static int ssl_tls13_session_load( mbedtls_ssl_session *session,
if( session->endpoint == MBEDTLS_SSL_IS_CLIENT ) if( session->endpoint == MBEDTLS_SSL_IS_CLIENT )
{ {
/* load host name */ /* load host name */
if( end - p < 1 )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
session->hostname_len = p[0]; session->hostname_len = p[0];
p += 1; p += 1;
if( end - p < session->hostname_len ) if( end - p < session->hostname_len )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
if( session->hostname_len > 0 ) if( session->hostname_len > 0 )