Avoid undefined behaviour in PACKET_buf_init
authorMatt Caswell <matt@openssl.org>
Wed, 21 Oct 2015 09:00:24 +0000 (10:00 +0100)
committerMatt Caswell <matt@openssl.org>
Wed, 21 Oct 2015 15:13:53 +0000 (16:13 +0100)
Change the sanity check in PACKET_buf_init to check for excessive length
buffers, which should catch the interesting cases where len has been cast
from a negative value whilst avoiding any undefined behaviour.

RT#4094

Reviewed-by: Richard Levitte <levitte@openssl.org>
ssl/packet_locl.h

index 507d64f8c41eb9bdce78be4763599b15b788a4bc..cb61a93ad3deda4e08ce8b47db9c8029e45d9a73 100644 (file)
@@ -111,7 +111,7 @@ __owur static inline int PACKET_buf_init(PACKET *pkt, unsigned char *buf,
                                          size_t len)
 {
     /* Sanity check for negative values. */
                                          size_t len)
 {
     /* Sanity check for negative values. */
-    if (buf + len < buf)
+    if (len > (size_t)(SIZE_MAX / 2))
         return 0;
 
     pkt->curr = buf;
         return 0;
 
     pkt->curr = buf;