From 3fde6c9276c9cd6e56e8e06e756350a4fbdd7031 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 21 Oct 2015 10:00:24 +0100 Subject: [PATCH] Avoid undefined behaviour in PACKET_buf_init Change the sanity check in PACKET_buf_init to check for excessive length buffers, which should catch the interesting cases where len has been cast from a negative value whilst avoiding any undefined behaviour. RT#4094 Reviewed-by: Richard Levitte --- ssl/packet_locl.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/packet_locl.h b/ssl/packet_locl.h index 507d64f8c4..cb61a93ad3 100644 --- a/ssl/packet_locl.h +++ b/ssl/packet_locl.h @@ -111,7 +111,7 @@ __owur static inline int PACKET_buf_init(PACKET *pkt, unsigned char *buf, size_t len) { /* Sanity check for negative values. */ - if (buf + len < buf) + if (len > (size_t)(SIZE_MAX / 2)) return 0; pkt->curr = buf; -- 2.40.0