commit b309b92ee83a2f852f886815dae963ce2ab3bb36
author Hanno Becker <hanno.becker@arm.com> Thu Aug 23 13:18:05 2018 +0100
committer Hanno Becker <hanno.becker@arm.com> Thu Aug 23 13:18:05 2018 +0100
tree cfa24b19461742683def3dc107109ecac157ad40
parent 12b72c182e6e9885f88e5cc5cb1c5e22e7c25e0d

ssl_buffering_free_slot(): Double-check validity of slot index

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 651d5a5..41803b6 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4493,7 +4493,7 @@
         MBEDTLS_SSL_DEBUG_MSG( 2, ( "Free buffering slot %d to make space for reassembly of next handshake message",
                                     offset ) );
 
-        ssl_buffering_free_slot( ssl, offset );
+        ssl_buffering_free_slot( ssl, (uint8_t) offset );
 
         /* Check if we have enough space available now. */
         if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
@@ -8681,6 +8681,10 @@
 {
     mbedtls_ssl_handshake_params * const hs = ssl->handshake;
     mbedtls_ssl_hs_buffer * const hs_buf = &hs->buffering.hs[slot];
+
+    if( slot >= MBEDTLS_SSL_MAX_BUFFERED_HS )
+        return;
+
     if( hs_buf->is_valid == 1 )
     {
         hs->buffering.total_bytes_buffered -= hs_buf->data_len;