From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Sat, 7 Apr 2018 19:27:27 +0000 (+0200)
Subject: ext/psk_ke_modes: corrected data access
X-Git-Tag: gnutls_3_6_3~182
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2242f125aa6f31de93fdd0342acf35f75ea89241;p=thirdparty%2Fgnutls.git

ext/psk_ke_modes: corrected data access

That also improves the if-checks.

Issue and reproducer discovered via oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7470

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---

diff --git a/fuzz/gnutls_psk_server_fuzzer.repro/d757b818210bcaec5e297cdb5e30cee9059f9bc3 b/fuzz/gnutls_psk_server_fuzzer.repro/d757b818210bcaec5e297cdb5e30cee9059f9bc3
new file mode 100644
index 0000000000..8cc62c101e
Binary files /dev/null and b/fuzz/gnutls_psk_server_fuzzer.repro/d757b818210bcaec5e297cdb5e30cee9059f9bc3 differ
diff --git a/lib/ext/psk_ke_modes.c b/lib/ext/psk_ke_modes.c
index c6aef3bda8..afcbcb8ce1 100644
--- a/lib/ext/psk_ke_modes.c
+++ b/lib/ext/psk_ke_modes.c
@@ -139,9 +139,10 @@ psk_ke_modes_recv_params(gnutls_session_t session,
 		return gnutls_assert_val(0);
 
 	for (i=0;i<ke_modes_len;i++) {
+		DECR_LEN(len, 1);
 		if (data[i] == PSK_DHE_KE)
 			cli_dhpsk_pos = i;
-		if (data[i] == PSK_KE)
+		else if (data[i] == PSK_KE)
 			cli_psk_pos = i;
 
 		if (cli_psk_pos != MAX_POS && cli_dhpsk_pos != MAX_POS)