esp_crt_bundle: Add bounds checking for the "esp_crt_bundle_set" API.

Closes https://github.com/espressif/esp-idf/issues/8397

components/mbedtls/test/test_esp_crt_bundle.c

@@ -25,6 +25,7 @@
 #include "mbedtls/debug.h"
 
 #include "esp_crt_bundle.h"
+#include "esp_random.h"
 
 #include "unity.h"
 #include "test_utils.h"
@@ -252,7 +253,7 @@ esp_err_t client_setup(mbedtls_endpoint_t *client)
     return ESP_OK;
 }
 
-int client_task(const uint8_t *bundle, esp_crt_validate_res_t *res)
+int client_task(const uint8_t *bundle, size_t bundle_size, esp_crt_validate_res_t *res)
 {
     int ret = ESP_FAIL;
 
@@ -268,7 +269,7 @@ int client_task(const uint8_t *bundle, esp_crt_validate_res_t *res)
     esp_crt_bundle_attach(&client.conf);
     if (bundle) {
         /* Set a bundle different from the menuconfig bundle */
-        esp_crt_bundle_set(bundle);
+        esp_crt_bundle_set(bundle, bundle_size);
     }
 
     ESP_LOGI(TAG, "Connecting to %s:%s...", SERVER_ADDRESS, SERVER_PORT);
@@ -328,11 +329,11 @@ TEST_CASE("custom certificate bundle", "[mbedtls]")
    }
 
    /* Test with default crt bundle that doesnt contain the ca crt */
-   client_task(NULL, &validate_res);
+   client_task(NULL, 0, &validate_res);
    TEST_ASSERT(validate_res == ESP_CRT_VALIDATE_FAIL);
 
    /* Test with bundle that does contain the CA crt */
-   client_task(server_cert_bundle_start, &validate_res);
+   client_task(server_cert_bundle_start, server_cert_bundle_end - server_cert_bundle_start, &validate_res);
    TEST_ASSERT(validate_res == ESP_CRT_VALIDATE_OK);
 
    exit_flag = true;
@@ -391,3 +392,50 @@ TEST_CASE("custom certificate bundle - wrong signature", "[mbedtls]")
 
     esp_crt_bundle_detach(NULL);
 }
+
+TEST_CASE("custom certificate bundle init API - bound checking", "[mbedtls]")
+{
+
+    uint8_t test_bundle[256] = {0};
+    esp_err_t esp_ret;
+    /* The API should fail with bundle size given as 1 */
+    esp_ret = esp_crt_bundle_set(test_bundle, 1);
+    TEST_ASSERT( esp_ret == ESP_ERR_INVALID_ARG);
+
+    /* Check that the esp_crt_bundle_set API will not accept a bundle
+     * which has more no. of certs than configured in
+     * CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_MAX_CERTS */
+
+    uint8_t rand;
+    esp_fill_random(&rand, 1);
+    test_bundle[0] = rand;
+
+    /* Make sure that the number of certs will always be greater than
+     * CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_MAX_CERTS */
+    test_bundle[1] = rand + CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_MAX_CERTS;
+
+    esp_ret = esp_crt_bundle_set(test_bundle, sizeof(test_bundle));
+    TEST_ASSERT( esp_ret == ESP_ERR_INVALID_ARG);
+
+    /* The API should fail with bundle_size < BUNDLE_HEADER_OFFSET (2) + CRT_HEADER_OFFSET (4) */
+    test_bundle[0] = 0;
+    test_bundle[1] = 1; /* set num_certs = 1 */
+    esp_ret = esp_crt_bundle_set(test_bundle, 5);
+    TEST_ASSERT(esp_ret == ESP_ERR_INVALID_ARG);
+
+    /* Cert number is greater than actual certs present, The API should fail */
+    /* Actual No. of certs present in bundle = 1, setting num_certs to 5 */
+    test_bundle[1] = 5; /* num_certs */
+    test_bundle[3] = 5; /* cert_1_name_len */
+    test_bundle[5] = 10; /* cert_1_pub_key_len */
+    /* Actual bundle size becomes BUNDLE_HEADER_OFFSET (2) + CRT_HEADER_OFFSET (4) + cert_1_name_len(5) + cert_1_pub_key_len(10)
+     * i.e. 21 bytes */
+    esp_ret = esp_crt_bundle_set(test_bundle, 21);
+    TEST_ASSERT(esp_ret == ESP_ERR_INVALID_ARG);
+
+    /* The API should fail if bundle_size < BUNDLE_HEADER_OFFSET (2) + CRT_HEADER_OFFSET (4) + cert_1_name_len(5) + cert_1_pub_key_len(10) */
+    esp_ret = esp_crt_bundle_set(test_bundle, 20);
+    TEST_ASSERT(esp_ret == ESP_ERR_INVALID_ARG);
+
+    esp_crt_bundle_detach(NULL);
+}