From 3e397d55676b42ea05fbfe6e97e18af3055b54a6 Mon Sep 17 00:00:00 2001
From: xujie <xujie223@huawei.com>
Date: Thu, 16 Nov 2023 09:18:40 +0000
Subject: [PATCH] =?UTF-8?q?=E6=BC=8F=E6=B4=9E=E4=BF=AE=E5=A4=8D=20?=
 =?UTF-8?q?=E3=80=90CVE-2023-45199=E3=80=91?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: xujie <xujie223@huawei.com>
---
 library/ssl_tls12_client.c  | 2 +-
 library/ssl_tls12_server.c  | 7 +++++++
 library/ssl_tls13_generic.c | 7 +++++++
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index ecbffb496..2c80e94c6 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -1714,7 +1714,7 @@ static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
                                         unsigned char *end)
 {
     uint16_t tls_id;
-    uint8_t ecpoint_len;
+    size_t ecpoint_len;
     mbedtls_ssl_handshake_params *handshake = ssl->handshake;
     psa_ecc_family_t ec_psa_family = 0;
     size_t ec_bits = 0;
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 924e8b01a..a0e06afe8 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -3681,6 +3681,13 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
             MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid data length"));
             return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
         }
+        if (data_len > sizeof(handshake->ecdh_psa_peerkey)) {
+            MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid public key length: %" MBEDTLS_PRINTF_SIZET
+                                      " > %" MBEDTLS_PRINTF_SIZET,
+                                      data_len,
+                                      sizeof(handshake->ecdh_psa_peerkey)));
+            return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+        }
 
         /* Store peer's ECDH public key. */
         memcpy(handshake->ecdh_psa_peerkey, p, data_len);
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 669a90a9b..e7688c45a 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1446,6 +1446,13 @@ int mbedtls_ssl_tls13_read_public_ecdhe_share(mbedtls_ssl_context *ssl,
     /* Check if key size is consistent with given buffer length. */
     MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, peerkey_len);
 
+    if (peerkey_len > sizeof(handshake->ecdh_psa_peerkey)) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid public key length: %u > %" MBEDTLS_PRINTE_SIZET
+                                  (unsigned) peerkey_len,
+                                  sizeof(handshake->ecdh_psa_peerkey)));
+        return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+    }
+
     /* Store peer's ECDH public key. */
     memcpy(handshake->ecdh_psa_peerkey, p, peerkey_len);
     handshake->ecdh_psa_peerkey_len = peerkey_len;
-- 
Gitee