From a5c5c58107645c8d2ee3f2d59ef6924a66d4fb74 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 19 Mar 2024 13:54:15 +0100 Subject: [PATCH] tls13: srv: Fix potential stack buffer overread Fix potential stack buffer overread when checking PSK binders. Signed-off-by: Ronald Cron --- ChangeLog.d/binder-overread.txt | 4 ++++ library/ssl_tls13_server.c | 8 +++++++- 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 ChangeLog.d/binder-overread.txt diff --git a/ChangeLog.d/binder-overread.txt b/ChangeLog.d/binder-overread.txt new file mode 100644 index 0000000000..c0ed4b7179 --- /dev/null +++ b/ChangeLog.d/binder-overread.txt @@ -0,0 +1,4 @@ +Security + * Fix a stack buffer overread (less than 256 bytes) when parsing a TLS 1.3 + ClientHello in a TLS 1.3 server supporting some PSK key exchange mode. A + malicious client could cause information disclosure or a denial of service. diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 887c5c6c8f..af5e3805fb 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -414,6 +414,10 @@ static int ssl_tls13_offered_psks_check_binder_match( size_t psk_len; unsigned char server_computed_binder[PSA_HASH_MAX_SIZE]; + if (binder_len != PSA_HASH_LENGTH(psk_hash_alg)) { + return SSL_TLS1_3_BINDER_DOES_NOT_MATCH; + } + /* Get current state of handshake transcript. */ ret = mbedtls_ssl_get_handshake_transcript( ssl, mbedtls_md_type_from_psa_alg(psk_hash_alg), @@ -443,7 +447,9 @@ static int ssl_tls13_offered_psks_check_binder_match( server_computed_binder, transcript_len); MBEDTLS_SSL_DEBUG_BUF(3, "psk binder ( received ): ", binder, binder_len); - if (mbedtls_ct_memcmp(server_computed_binder, binder, binder_len) == 0) { + if (mbedtls_ct_memcmp(server_computed_binder, + binder, + PSA_HASH_LENGTH(psk_hash_alg)) == 0) { return SSL_TLS1_3_BINDER_MATCH; }