Avoid undefined behaviour in PACKET_buf_init

Change the sanity check in PACKET_buf_init to check for excessive length buffers, which should catch the interesting cases where len has been cast from a negative value whilst avoiding any undefined behaviour. RT#4094 Reviewed-by: Richard Levitte <levitte@openssl.org>
author: Matt Caswell <matt@openssl.org> 2015-10-21 10:00:24 +0100
committer: Matt Caswell <matt@openssl.org> 2015-10-21 16:13:53 +0100
commit: 3fde6c9276c9cd6e56e8e06e756350a4fbdd7031 (patch)
tree: 0f2362240850565662ab8137268560c31dc51f7c /ssl/packet_locl.h
parent: 788d72ba021fdd29f6b3e573adc313d97f7d224d (diff)
download: openssl-3fde6c9276c9cd6e56e8e06e756350a4fbdd7031.zip
openssl-3fde6c9276c9cd6e56e8e06e756350a4fbdd7031.tar.gz
openssl-3fde6c9276c9cd6e56e8e06e756350a4fbdd7031.tar.bz2
1 files changed, 1 insertions, 1 deletions
diff --git a/ssl/packet_locl.h b/ssl/packet_locl.h
index 507d64f..cb61a93 100644
--- a/ssl/packet_locl.h
+++ b/ssl/packet_locl.h
@@ -111,7 +111,7 @@ __owur static inline int PACKET_buf_init(PACKET *pkt, unsigned char *buf,
                                          size_t len)
 {
     /* Sanity check for negative values. */
-    if (buf + len < buf)
+    if (len > (size_t)(SIZE_MAX / 2))
         return 0;
 
     pkt->curr = buf;
author	Matt Caswell <matt@openssl.org>	2015-10-21 10:00:24 +0100
committer	Matt Caswell <matt@openssl.org>	2015-10-21 16:13:53 +0100
commit	3fde6c9276c9cd6e56e8e06e756350a4fbdd7031 (patch)
tree	0f2362240850565662ab8137268560c31dc51f7c /ssl/packet_locl.h
parent	788d72ba021fdd29f6b3e573adc313d97f7d224d (diff)
download	openssl-3fde6c9276c9cd6e56e8e06e756350a4fbdd7031.zip openssl-3fde6c9276c9cd6e56e8e06e756350a4fbdd7031.tar.gz openssl-3fde6c9276c9cd6e56e8e06e756350a4fbdd7031.tar.bz2