From 8f70fba988d9c25d8d461e68b2c0c9285e0bc401 Mon Sep 17 00:00:00 2001
From: Johan Pascal <johan.pascal@belledonne-communications.com>
Date: Wed, 2 Sep 2020 10:32:06 +0200
Subject: [PATCH] Check the server hello output buffer size when writing the
 use_srtp ext

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
---
 library/ssl_srv.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 270700fac9..d07050534f 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -2634,10 +2634,12 @@ static void ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
 {
     size_t mki_len = 0, ext_len = 0;
     uint16_t profile_value = 0;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+    *olen = 0;
 
     if( ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_SRTP_UNSET_PROFILE )
     {
-        *olen = 0;
         return;
     }
 
@@ -2649,6 +2651,12 @@ static void ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
         mki_len = ssl->dtls_srtp_info.mki_len;
     }
 
+    if( end < buf + mki_len + 9 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
     /* extension */
     buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP >> 8 ) & 0xFF );
     buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP      ) & 0xFF );
@@ -2671,7 +2679,7 @@ static void ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
     }
     else
     {
-        *olen = 0;
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "use_srtp extension invalid profile" ) );
         return;
     }