psk: fix read buffer overrun in the "pre_shared_key" extension

author Andrew Hamilton <adhamilt@gmail.com>

Mon, 7 Jul 2025 01:31:55 +0000 (10:31 +0900)

committer Daiki Ueno <ueno@gnu.org>

Mon, 7 Jul 2025 21:57:29 +0000 (06:57 +0900)
author Andrew Hamilton <adhamilt@gmail.com>
Mon, 7 Jul 2025 01:31:55 +0000 (10:31 +0900)
committer Daiki Ueno <ueno@gnu.org>
Mon, 7 Jul 2025 21:57:29 +0000 (06:57 +0900)
diff --git a/fuzz/gnutls_psk_client_fuzzer.repro/5477db1bb507a35e8833c758ce344f4b5b246d8e b/fuzz/gnutls_psk_client_fuzzer.repro/5477db1bb507a35e8833c758ce344f4b5b246d8e

new file mode 100644 (file)

index 0000000..009d44c

Binary files /dev/null and b/fuzz/gnutls_psk_client_fuzzer.repro/5477db1bb507a35e8833c758ce344f4b5b246d8e differ
diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c

index 51c4891d51075c58a9d2b8e316fa37cda5ee7993..2cb83e6707746fff36f5bcf8dd7152d8f0fa1893 100644 (file)
--- a/lib/ext/pre_shared_key.c
+++ b/lib/ext/pre_shared_key.c
@@ -1170,6 +1170,8 @@ static int _gnutls_psk_recv_params(gnutls_session_t session,
  
         if (session->security_parameters.entity == GNUTLS_CLIENT) {
                 if (session->internals.hsk_flags & HSK_PSK_KE_MODES_SENT) {
+                       DECR_LEN(len, 2);
+
                         uint16_t selected_identity = _gnutls_read_uint16(data);
  
                         for (i = 0; i < sizeof(session->key.binders) /
author	Andrew Hamilton <adhamilt@gmail.com>
	Mon, 7 Jul 2025 01:31:55 +0000 (10:31 +0900)
committer	Daiki Ueno <ueno@gnu.org>
	Mon, 7 Jul 2025 21:57:29 +0000 (06:57 +0900)
fuzz/gnutls_psk_client_fuzzer.repro/5477db1bb507a35e8833c758ce344f4b5b246d8e	[new file with mode: 0644]	patch \| blob
lib/ext/pre_shared_key.c		patch \| blob \| blame \| history