From 4933192b832b483046f15d271150bd7c592ba9fc Mon Sep 17 00:00:00 2001 From: jsing <> Date: Tue, 10 Mar 2020 17:11:25 +0000 Subject: Add a return value check to tls13_buffer_extend(). In the unlikely event that the return value from the read callback is larger than the number of bytes we asked for, we can end up incrementing buf->len beyond capacity. Check the return value from the read callback to prevent this. ok inoguchi@ tb@ --- src/lib/libssl/tls13_buffer.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'src/lib') diff --git a/src/lib/libssl/tls13_buffer.c b/src/lib/libssl/tls13_buffer.c index 8990327bb6..bc10abded2 100644 --- a/src/lib/libssl/tls13_buffer.c +++ b/src/lib/libssl/tls13_buffer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_buffer.c,v 1.2 2019/11/20 16:21:20 beck Exp $ */ +/* $OpenBSD: tls13_buffer.c,v 1.3 2020/03/10 17:11:25 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -104,6 +104,9 @@ tls13_buffer_extend(struct tls13_buffer *buf, size_t len, buf->capacity - buf->len, cb_arg)) <= 0) return ret; + if (ret > buf->capacity - buf->len) + return TLS13_IO_FAILURE; + buf->len += ret; if (buf->len == buf->capacity) -- cgit v1.2.3-55-g6feb