From 7f17155ac6c7cd7e191aa090bfe2547094c327c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 10 Dec 2015 14:36:25 +0100 Subject: [PATCH] Avoid seemingly-possible overflow By looking just at that test, it looks like 2 + dn_size could overflow. In fact that can't happen as that would mean we've read a CA cert of size is too big to be represented by a size_t. However, it's best for code to be more obviously free of overflow without having to reason about the bigger picture. --- library/ssl_srv.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 9afd39989..6b5b461e1 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2584,7 +2584,9 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) { dn_size = crt->subject_raw.len; - if( end < p || (size_t)( end - p ) < 2 + dn_size ) + if( end < p || + (size_t)( end - p ) < dn_size || + (size_t)( end - p ) < 2 + dn_size ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) ); break;