Avoid undefined behaviour in PACKET_buf_init

Change the sanity check in PACKET_buf_init to check for excessive length buffers, which should catch the interesting cases where len has been cast from a negative value whilst avoiding any undefined behaviour. RT#4094 Reviewed-by: N Richard Levitte <levitte@openssl.org>

Avoid undefined behaviour in PACKET_buf_init
Change the sanity check in PACKET_buf_init to check for excessive length buffers, which should catch the interesting cases where len has been cast from a negative value whilst avoiding any undefined behaviour. RT#4094 Reviewed-by: N Richard Levitte <levitte@openssl.org>
3fde6c92 · Matt Caswell · 788d72ba · 3fde6c92
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

ssl/packet_locl.h ssl/packet_locl.h +1 -1

未找到文件。
--- a/ssl/packet_locl.h
+++ b/ssl/packet_locl.h
@@ -111,7 +111,7 @@ __owur static inline int PACKET_buf_init(PACKET *pkt, unsigned char *buf,
                                         size_t len)
 {
    /* Sanity check for negative values. */
-    if (buf + len < buf)
+    if (len > (size_t)(SIZE_MAX / 2))
        return 0;

    pkt->curr = buf;