[Bug Report]: Patch for CVE-2018-9988 in reused component mbedtls-2.6.0 found by V1SCAN #120
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Contact Details
weitingcai2020@gmail.com
What happened?
我通过使用V1SCAN(一个扫描存在于复用代码中1-Day漏洞的工具),发现您的项目中
Huawei_LiteOS/components/security/mbedtls/mbedtls-2.6.0/library/ssl_cli.c
文件中的ssl_parse_server_key_exchange
函数可能存在类型为CWE-125 OOB的漏洞,相关触发逻辑类似GHSA-h9j8-4v77-hmr3, 具体参考链接如下:CVE-2018-9988:
NVD说明链接:
https://nvd.nist.gov/vuln/detail/CVE-2018-9988
commit修复链接:
Mbed-TLS/mbedtls@027f84c