bl4ck5un/mbedtls-SGX

[Security]

mustakimur opened this issue · 0 comments

mustakimur commented

Source: mbedtls-SGX/example/enclave/s_client.c

The opt.psk in ssl_client() must check the string length before copy psk data to local psk buffer. The following code could vulnerable to stack overflow and overwrite sensitive buf.

int ssl_client(client_opt_t opt, char* headers[],
               int n_header, unsigned char* output,
                                       int length){
  unsigned char buf[16385];
  unsigned char psk[32];
  ...
  if(strlen(opt.psk)){
    ...
    psk_len = strlen( opt.psk ) / 2;
    for(j = 0;j < strlen( opt.psk );j += 2){
      c = opt.psk[j];
      ...
      psk[j/2] = c << 4;
      ...
      c = opt.psk[j + 1];
      ...
      psk[j/2] |= c;
    }
  }
}