[Bug Report]: Patch for CVE-2018-9988 & CVE-2019-16910 in reused component mbedtls

[ltcdCai]

Contact Details
[email protected]

What happened?
我通过使用V1SCAN（一个扫描存在于复用代码中1-Day漏洞的工具），发现您的项目中Harmonykernel/KAL/LiteOS/Huawei_LiteOS/components/security/mbedtls/mbedtls-2.6.0/library文件夹下的ssl_cli.c文件和ecdsa.c文件可能存在漏洞, 具体参考链接如下：

CVE-2019-16910 in ecdsa.c:
相关触发逻辑类似GHSA-jg4p-c829-4q39
NVD说明链接：
https://nvd.nist.gov/vuln/detail/CVE-2019-16910
commit修复链接:
Mbed-TLS/mbedtls@027f84c

Since this is resulted mainly by reusing a file in older version, it is recommended to updating it to the latest version.

CVE-2018-9988 in ssl_cli.c:
相关触发逻辑类似GHSA-h9j8-4v77-hmr3
NVD说明链接：
https://nvd.nist.gov/vuln/detail/CVE-2018-9988
commit修复链接:
Mbed-TLS/mbedtls@33f66ba#diff-2fdf7c956098af4050cf1b26e4b5291e6aafab8e8682aa3fcab978baffa3c86c

Replace the line 2476: if( end != p + sig_len ) with the following line:
if( p != end - sig_len )

考虑到其可能存在的潜在风险，我愿意配合您以负责任的方式及时核实、解决和报告发现的漏洞。 如果您需要任何进一步的信息或帮助，请随时与我联系。如果需要，我也可以提交PR帮助您修复。 谢谢您，期待尽快收到您的回复！