Remove redundant length check during record header parsing The check is in terms of the internal input buffer length and is hence likely to be originally intended to protect against overflow of the input buffer when fetching data from the underlying transport in mbedtls_ssl_fetch_input(). For locality of reasoning, it's better to perform such a check close to where it's needed, and in fact, mbedtls_ssl_fetch_input() _does_ contain an equivalent bounds check, too, rendering the bounds check in question redundant.

commit: c957e3b5f882214e8c81cdd28e0fd23b7e238901 [log] [tgz]
author: Hanno Becker <hanno.becker@arm.com> Wed Jul 10 11:37:19 2019 +0100
committer: Hanno Becker <hanno.becker@arm.com> Wed Aug 14 14:33:39 2019 +0100
tree: 1880df696bb7dbe8b587d1e6c18b432aea2a1e1d
parent: e2b786d40fcc17cf6231d177609b122894f26398 [diff]
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index ba8ba19..51dc603 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c

@@ -4935,13 +4935,6 @@
      * the presence of a CID. */
 
     ssl->in_msglen = ( ssl->in_len[0] << 8 ) | ssl->in_len[1];
-    if( ssl->in_msglen > MBEDTLS_SSL_IN_BUFFER_LEN
-                         - (size_t)( ssl->in_msg - ssl->in_buf ) )
-    {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
-        return( MBEDTLS_ERR_SSL_INVALID_RECORD );
-    }
-
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
                                 "version = [%d:%d], msglen = %d",
                                 ssl->in_msgtype,
commit	c957e3b5f882214e8c81cdd28e0fd23b7e238901	[log] [tgz]
author	Hanno Becker <hanno.becker@arm.com>	Wed Jul 10 11:37:19 2019 +0100
committer	Hanno Becker <hanno.becker@arm.com>	Wed Aug 14 14:33:39 2019 +0100
tree	1880df696bb7dbe8b587d1e6c18b432aea2a1e1d
parent	e2b786d40fcc17cf6231d177609b122894f26398 [diff]