From c23bf6e23caf8a812c0cdd86e83ca87d987abb1b Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Tue, 22 Dec 2015 23:53:04 +0000 Subject: [PATCH] Avoid seemingly-possible overflow By looking just at that test, it looks like 2 + dn_size could overflow. In fact that can't happen as that would mean we've read a CA cert of size is too big to be represented by a size_t. However, it's best for code to be more obviously free of overflow without having to reason about the bigger picture. --- library/ssl_srv.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 2f4ae6925..1e2fb6221 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -990,7 +990,9 @@ static int ssl_write_certificate_request( ssl_context *ssl ) { dn_size = crt->subject_raw.len; - if( end < p || (size_t)( end - p ) < 2 + dn_size ) + if( end < p || + (size_t)( end - p ) < dn_size || + (size_t)( end - p ) < 2 + dn_size ) { SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) ); break;