From 3081ba12bb20c72d5f854f66af6ce7c68b36ddd6 Mon Sep 17 00:00:00 2001
From: Paul Bakker <p.j.bakker@polarssl.org>
Date: Wed, 11 Sep 2013 11:38:34 +0200
Subject: [PATCH] Fixed potential heap buffer overflow on large hostname
 setting (cherry picked from commit 75c1a6f97c9b25b71bcc95b158bc673f6db04400)

Conflicts:
	library/ssl_tls.c
---
 ChangeLog         | 1 +
 library/ssl_tls.c | 6 +++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 60ef749bc..4ae26dbb9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -8,6 +8,7 @@ Security
    * Potential buffer-overflow for ssl_read_record() (independently found by
      both TrustInSoft and Paul Brodeur of Leviathan Security Group)
    * Potential negative value misinterpretation in load_file()
+   * Potential heap buffer overflow on large hostname setting
 
 = Version 1.1.7 released on 2013-06-19
 Changes
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 73a6604c3..b3b82b075 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1991,6 +1991,10 @@ int ssl_set_hostname( ssl_context *ssl, const char *hostname )
         return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
 
     ssl->hostname_len = strlen( hostname );
+
+    if( ssl->hostname_len + 1 == 0 )
+        return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
+
     ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
 
     if( ssl->hostname == NULL )
@@ -1998,7 +2002,7 @@ int ssl_set_hostname( ssl_context *ssl, const char *hostname )
 
     memcpy( ssl->hostname, (unsigned char *) hostname,
             ssl->hostname_len );
-    
+
     ssl->hostname[ssl->hostname_len] = '\0';
 
     return( 0 );