From 3fde6c9276c9cd6e56e8e06e756350a4fbdd7031 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 21 Oct 2015 10:00:24 +0100
Subject: [PATCH 1/1] Avoid undefined behaviour in PACKET_buf_init

Change the sanity check in PACKET_buf_init to check for excessive length
buffers, which should catch the interesting cases where len has been cast
from a negative value whilst avoiding any undefined behaviour.

RT#4094

Reviewed-by: Richard Levitte <levitte@openssl.org>
---
 ssl/packet_locl.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ssl/packet_locl.h b/ssl/packet_locl.h
index 507d64f8c4..cb61a93ad3 100644
--- a/ssl/packet_locl.h
+++ b/ssl/packet_locl.h
@@ -111,7 +111,7 @@ __owur static inline int PACKET_buf_init(PACKET *pkt, unsigned char *buf,
                                          size_t len)
 {
     /* Sanity check for negative values. */
-    if (buf + len < buf)
+    if (len > (size_t)(SIZE_MAX / 2))
         return 0;
 
     pkt->curr = buf;
-- 
2.34.1