From 7f890c3e9684cdf664380adb57e1aca997fdef38 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 10 Dec 2015 14:36:25 +0100 Subject: [PATCH] Avoid seemingly-possible overflow By looking just at that test, it looks like 2 + dn_size could overflow. In fact that can't happen as that would mean we've read a CA cert of size is too big to be represented by a size_t. However, it's best for code to be more obviously free of overflow without having to reason about the bigger picture. --- library/ssl_srv.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 1bda53c46..938ca7a2f 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2474,7 +2474,9 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) { dn_size = crt->subject_raw.len; - if( end < p || (size_t)( end - p ) < 2 + dn_size ) + if( end < p || + (size_t)( end - p ) < dn_size || + (size_t)( end - p ) < 2 + dn_size ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) ); break;