From e5af9fabf7d68e3807b6ea78792794b8352dbba2 Mon Sep 17 00:00:00 2001
From: Andrzej Kurek <andrzej.kurek@arm.com>
Date: Mon, 6 Jun 2022 14:42:41 -0400
Subject: [PATCH] Add missing sid_len in calculations of cookie sizes This
 could lead to a potential buffer overread with small
 MBEDTLS_SSL_IN_CONTENT_LEN. Change the bound calculations so that it is
 apparent what lengths and sizes are used.

Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
---
 library/ssl_msg.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 7c478ca651..9897f3ca4e 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -3295,7 +3295,7 @@ static int ssl_check_dtls_clihlo_cookie(
     }
 
     sid_len = in[59];
-    if( sid_len > in_len - 61 )
+    if( 59 + 1 + sid_len + 1 > in_len )
     {
         MBEDTLS_SSL_DEBUG_MSG( 4, ( "check cookie: sid_len=%u > %u",
                                     (unsigned) sid_len,
@@ -3306,10 +3306,11 @@ static int ssl_check_dtls_clihlo_cookie(
                            in + 60, sid_len );
 
     cookie_len = in[60 + sid_len];
-    if( cookie_len > in_len - 60 ) {
+    if( 59 + 1 + sid_len + 1 + cookie_len > in_len )
+    {
         MBEDTLS_SSL_DEBUG_MSG( 4, ( "check cookie: cookie_len=%u > %u",
                                     (unsigned) cookie_len,
-                                    (unsigned) in_len - 60 ) );
+                                    (unsigned) ( in_len - sid_len - 61 ) ) );
         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
     }