From e1423b93bd3553efa320e96178feb2e4fbf950d1 Mon Sep 17 00:00:00 2001
From: beck <>
Date: Wed, 15 Jul 2015 21:52:02 +0000
Subject: test for n<0 before use in CBS_init - mostly to shut up coverity.
 reluctant ok miod@

---
 src/lib/libssl/d1_srtp.c         | 13 +++++++++----
 src/lib/libssl/s3_both.c         | 10 ++++++++--
 src/lib/libssl/s3_clnt.c         | 21 ++++++++++++++++-----
 src/lib/libssl/src/ssl/d1_srtp.c | 13 +++++++++----
 src/lib/libssl/src/ssl/s3_both.c | 10 ++++++++--
 src/lib/libssl/src/ssl/s3_clnt.c | 21 ++++++++++++++++-----
 6 files changed, 66 insertions(+), 22 deletions(-)

diff --git a/src/lib/libssl/d1_srtp.c b/src/lib/libssl/d1_srtp.c
index 801eab1b76..8f05c4abc8 100644
--- a/src/lib/libssl/d1_srtp.c
+++ b/src/lib/libssl/d1_srtp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srtp.c,v 1.12 2015/07/14 03:38:26 doug Exp $ */
+/* $OpenBSD: d1_srtp.c,v 1.13 2015/07/15 21:52:02 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -303,11 +303,16 @@ ssl_parse_clienthello_use_srtp_ext(SSL *s, const unsigned char *d, int len,
 	uint16_t id;
 	CBS cbs, ciphers, mki;
 
-	CBS_init(&cbs, d, len);
+	if (len < 0) {
+		SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,
+		    SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
+		*al = SSL_AD_DECODE_ERROR;
+		goto done;
+	}
 
+	CBS_init(&cbs, d, len);
 	/* Pull off the cipher suite list */
-	if (len < 0 ||
-	    !CBS_get_u16_length_prefixed(&cbs, &ciphers) ||
+	if (!CBS_get_u16_length_prefixed(&cbs, &ciphers) ||
 	    CBS_len(&ciphers) % 2 ||
 	    CBS_len(&cbs) != 0) {
 		SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,
diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c
index 5db0a11618..a19ce74380 100644
--- a/src/lib/libssl/s3_both.c
+++ b/src/lib/libssl/s3_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_both.c,v 1.41 2015/07/14 05:41:07 doug Exp $ */
+/* $OpenBSD: s3_both.c,v 1.42 2015/07/15 21:52:02 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -242,9 +242,15 @@ ssl3_get_finished(SSL *s, int a, int b)
 
 	md_len = s->method->ssl3_enc->finish_mac_length;
 
+	if (n < 0) {
+		al = SSL_AD_DECODE_ERROR;
+		SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_BAD_DIGEST_LENGTH);
+		goto f_err;
+	}
+
 	CBS_init(&cbs, s->init_msg, n);
 
-	if (n < 0 || s->s3->tmp.peer_finish_md_len != md_len ||
+	if (s->s3->tmp.peer_finish_md_len != md_len ||
 	    CBS_len(&cbs) != md_len) {
 		al = SSL_AD_DECODE_ERROR;
 		SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_BAD_DIGEST_LENGTH);
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 6bc5a8b622..3f7f3a411d 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.117 2015/07/15 18:35:34 beck Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.118 2015/07/15 21:52:02 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -996,7 +996,6 @@ ssl3_get_server_certificate(SSL *s)
 		goto f_err;
 	}
 
-	CBS_init(&cbs, s->init_msg, n);
 
 	if ((sk = sk_X509_new_null()) == NULL) {
 		SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
@@ -1004,8 +1003,13 @@ ssl3_get_server_certificate(SSL *s)
 		goto err;
 	}
 
-	if (n < 0 || CBS_len(&cbs) < 3)
+	if (n < 0)
+		goto truncated;
+
+	CBS_init(&cbs, s->init_msg, n);
+	if (CBS_len(&cbs) < 3)
 		goto truncated;
+
 	if (!CBS_get_u24_length_prefixed(&cbs, &cert_list) ||
 	    CBS_len(&cbs) != 0) {
 		al = SSL_AD_DECODE_ERROR;
@@ -1797,9 +1801,16 @@ ssl3_get_cert_status(SSL *s)
 	if (!ok)
 		return ((int)n);
 
-	CBS_init(&cert_status, s->init_msg, n);
+	if (n < 0) {
+		/* need at least status type + length */
+		al = SSL_AD_DECODE_ERROR;
+		SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
+		    SSL_R_LENGTH_MISMATCH);
+		goto f_err;
+	}
 
-	if (n < 0 || !CBS_get_u8(&cert_status, &status_type) ||
+	CBS_init(&cert_status, s->init_msg, n);
+	if (!CBS_get_u8(&cert_status, &status_type) ||
 	    CBS_len(&cert_status) < 3) {
 		/* need at least status type + length */
 		al = SSL_AD_DECODE_ERROR;
diff --git a/src/lib/libssl/src/ssl/d1_srtp.c b/src/lib/libssl/src/ssl/d1_srtp.c
index 801eab1b76..8f05c4abc8 100644
--- a/src/lib/libssl/src/ssl/d1_srtp.c
+++ b/src/lib/libssl/src/ssl/d1_srtp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srtp.c,v 1.12 2015/07/14 03:38:26 doug Exp $ */
+/* $OpenBSD: d1_srtp.c,v 1.13 2015/07/15 21:52:02 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -303,11 +303,16 @@ ssl_parse_clienthello_use_srtp_ext(SSL *s, const unsigned char *d, int len,
 	uint16_t id;
 	CBS cbs, ciphers, mki;
 
-	CBS_init(&cbs, d, len);
+	if (len < 0) {
+		SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,
+		    SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
+		*al = SSL_AD_DECODE_ERROR;
+		goto done;
+	}
 
+	CBS_init(&cbs, d, len);
 	/* Pull off the cipher suite list */
-	if (len < 0 ||
-	    !CBS_get_u16_length_prefixed(&cbs, &ciphers) ||
+	if (!CBS_get_u16_length_prefixed(&cbs, &ciphers) ||
 	    CBS_len(&ciphers) % 2 ||
 	    CBS_len(&cbs) != 0) {
 		SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,
diff --git a/src/lib/libssl/src/ssl/s3_both.c b/src/lib/libssl/src/ssl/s3_both.c
index 5db0a11618..a19ce74380 100644
--- a/src/lib/libssl/src/ssl/s3_both.c
+++ b/src/lib/libssl/src/ssl/s3_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_both.c,v 1.41 2015/07/14 05:41:07 doug Exp $ */
+/* $OpenBSD: s3_both.c,v 1.42 2015/07/15 21:52:02 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -242,9 +242,15 @@ ssl3_get_finished(SSL *s, int a, int b)
 
 	md_len = s->method->ssl3_enc->finish_mac_length;
 
+	if (n < 0) {
+		al = SSL_AD_DECODE_ERROR;
+		SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_BAD_DIGEST_LENGTH);
+		goto f_err;
+	}
+
 	CBS_init(&cbs, s->init_msg, n);
 
-	if (n < 0 || s->s3->tmp.peer_finish_md_len != md_len ||
+	if (s->s3->tmp.peer_finish_md_len != md_len ||
 	    CBS_len(&cbs) != md_len) {
 		al = SSL_AD_DECODE_ERROR;
 		SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_BAD_DIGEST_LENGTH);
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index 6bc5a8b622..3f7f3a411d 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.117 2015/07/15 18:35:34 beck Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.118 2015/07/15 21:52:02 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -996,7 +996,6 @@ ssl3_get_server_certificate(SSL *s)
 		goto f_err;
 	}
 
-	CBS_init(&cbs, s->init_msg, n);
 
 	if ((sk = sk_X509_new_null()) == NULL) {
 		SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
@@ -1004,8 +1003,13 @@ ssl3_get_server_certificate(SSL *s)
 		goto err;
 	}
 
-	if (n < 0 || CBS_len(&cbs) < 3)
+	if (n < 0)
+		goto truncated;
+
+	CBS_init(&cbs, s->init_msg, n);
+	if (CBS_len(&cbs) < 3)
 		goto truncated;
+
 	if (!CBS_get_u24_length_prefixed(&cbs, &cert_list) ||
 	    CBS_len(&cbs) != 0) {
 		al = SSL_AD_DECODE_ERROR;
@@ -1797,9 +1801,16 @@ ssl3_get_cert_status(SSL *s)
 	if (!ok)
 		return ((int)n);
 
-	CBS_init(&cert_status, s->init_msg, n);
+	if (n < 0) {
+		/* need at least status type + length */
+		al = SSL_AD_DECODE_ERROR;
+		SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
+		    SSL_R_LENGTH_MISMATCH);
+		goto f_err;
+	}
 
-	if (n < 0 || !CBS_get_u8(&cert_status, &status_type) ||
+	CBS_init(&cert_status, s->init_msg, n);
+	if (!CBS_get_u8(&cert_status, &status_type) ||
 	    CBS_len(&cert_status) < 3) {
 		/* need at least status type + length */
 		al = SSL_AD_DECODE_ERROR;
-- 
cgit v1.2.3-55-g6feb