From cb7503750efc02c64cdb7167dee692e47c44c6e9 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 20 Feb 2018 10:20:20 +0000
Subject: [PATCH] Sanity check the ticket length before using key name/IV

This could in theory result in an overread - but due to the over allocation
of the underlying buffer does not represent a security issue.

Thanks to Fedor Indutny for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5417)
---
 ssl/t1_lib.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 82ad601924..a186623505 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -3505,6 +3505,10 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
     EVP_CIPHER_CTX ctx;
     SSL_CTX *tctx = s->initial_ctx;
 
+    /* Need at least keyname + iv */
+    if (eticklen < 16 + EVP_MAX_IV_LENGTH)
+        return 2;
+
     /* Initialize session ticket encryption and HMAC contexts */
     HMAC_CTX_init(&hctx);
     EVP_CIPHER_CTX_init(&ctx);
-- 
2.40.0