diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2020-03-10 17:11:26 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2020-03-10 17:11:26 +0000 |
| commit | fdbb50a5dcf26fd21a42577cdcde82b8fbeda6d1 (patch) | |
| tree | 9061a41ca0f5f44276b9d0b1170803cbb41abe06 | |
| parent | 327ae556cfccf1a9a85acb8072ad735929cc7785 (diff) | |
Add a return value check to tls13_buffer_extend().
In the unlikely event that the return value from the read callback is
larger than the number of bytes we asked for, we can end up incrementing
buf->len beyond capacity. Check the return value from the read callback to
prevent this.
ok inoguchi@ tb@
| -rw-r--r-- | lib/libssl/tls13_buffer.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/libssl/tls13_buffer.c b/lib/libssl/tls13_buffer.c index 8990327bb62..bc10abded2c 100644 --- a/lib/libssl/tls13_buffer.c +++ b/lib/libssl/tls13_buffer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_buffer.c,v 1.2 2019/11/20 16:21:20 beck Exp $ */ +/* $OpenBSD: tls13_buffer.c,v 1.3 2020/03/10 17:11:25 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> * @@ -104,6 +104,9 @@ tls13_buffer_extend(struct tls13_buffer *buf, size_t len, buf->capacity - buf->len, cb_arg)) <= 0) return ret; + if (ret > buf->capacity - buf->len) + return TLS13_IO_FAILURE; + buf->len += ret; if (buf->len == buf->capacity) |