From 8a3170571e886718699776777ab7fbb44320d4f1 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 21 Apr 2016 23:37:09 +0100 Subject: [PATCH] Fix bug in ssl_write_supported_elliptic_curves_ext Passing invalid curves to mbedtls_ssl_conf_curves potentially could caused a crash later in ssl_write_supported_elliptic_curves_ext. #373 --- ChangeLog | 2 ++ library/ssl_cli.c | 7 ++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index ea55df8e1..bee652cf9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,8 @@ Bugfix * Fix issue that caused a hang when generating RSA keys of odd bitlength * Fix bug in mbedtls_rsa_rsaes_pkcs1_v15_encrypt that made null pointer dereference possible. + * Fix issue that caused a crash if invalid curves were passed to + mbedtls_ssl_conf_curves. #373 Changes * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5, diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 52ddf9a92..7f5b94eb2 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -270,6 +270,12 @@ static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) { #endif + if( info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) ); + return; + } + elliptic_curve_len += 2; } @@ -289,7 +295,6 @@ static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) { #endif - elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8; elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF; }