From 67ba85650d726fdc4f2fa85800744713b78409b8 Mon Sep 17 00:00:00 2001
From: Ivan Grokhotkov <ivan@espressif.com>
Date: Thu, 19 Apr 2018 11:42:56 +0800
Subject: [PATCH] mbedtls: Prevent bounds check bypass through overflow in PSK
 identity parsing

This is a patch for CVE-2017-18187.
Cherry-picked from https://github.com/ARMmbed/mbedtls/commit/83c9f495ffe70c7dd280b41fdfd4881485a3bc28
Ref. https://github.com/espressif/esp-idf/issues/1730
---
 components/mbedtls/library/ssl_srv.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/components/mbedtls/library/ssl_srv.c b/components/mbedtls/library/ssl_srv.c
index f137c3dce..97d7a9e80 100644
--- a/components/mbedtls/library/ssl_srv.c
+++ b/components/mbedtls/library/ssl_srv.c
@@ -3436,7 +3436,7 @@ static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned cha
     /*
      * Receive client pre-shared key identity name
      */
-    if( *p + 2 > end )
+    if( end - *p < 2 )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
@@ -3445,7 +3445,7 @@ static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned cha
     n = ( (*p)[0] << 8 ) | (*p)[1];
     *p += 2;
 
-    if( n < 1 || n > 65535 || *p + n > end )
+    if( n < 1 || n > 65535 || n > (size_t) ( end - *p ) )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );