diff options
| author | jsing <> | 2020-03-10 17:11:25 +0000 |
|---|---|---|
| committer | jsing <> | 2020-03-10 17:11:25 +0000 |
| commit | 4933192b832b483046f15d271150bd7c592ba9fc (patch) | |
| tree | c720eff828444a92c90ec50ed52364e1de455f30 /src | |
| parent | 2fc4169a1040fb41912043d6a402741eceda793f (diff) | |
| download | openbsd-4933192b832b483046f15d271150bd7c592ba9fc.tar.gz openbsd-4933192b832b483046f15d271150bd7c592ba9fc.tar.bz2 openbsd-4933192b832b483046f15d271150bd7c592ba9fc.zip | |
Add a return value check to tls13_buffer_extend().
In the unlikely event that the return value from the read callback is
larger than the number of bytes we asked for, we can end up incrementing
buf->len beyond capacity. Check the return value from the read callback to
prevent this.
ok inoguchi@ tb@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/tls13_buffer.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/src/lib/libssl/tls13_buffer.c b/src/lib/libssl/tls13_buffer.c index 8990327bb6..bc10abded2 100644 --- a/src/lib/libssl/tls13_buffer.c +++ b/src/lib/libssl/tls13_buffer.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_buffer.c,v 1.2 2019/11/20 16:21:20 beck Exp $ */ | 1 | /* $OpenBSD: tls13_buffer.c,v 1.3 2020/03/10 17:11:25 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -104,6 +104,9 @@ tls13_buffer_extend(struct tls13_buffer *buf, size_t len, | |||
| 104 | buf->capacity - buf->len, cb_arg)) <= 0) | 104 | buf->capacity - buf->len, cb_arg)) <= 0) |
| 105 | return ret; | 105 | return ret; |
| 106 | 106 | ||
| 107 | if (ret > buf->capacity - buf->len) | ||
| 108 | return TLS13_IO_FAILURE; | ||
| 109 | |||
| 107 | buf->len += ret; | 110 | buf->len += ret; |
| 108 | 111 | ||
| 109 | if (buf->len == buf->capacity) | 112 | if (buf->len == buf->capacity) |