From d83584e9aa7bb7ebd955290a17eb1ca9bd9eab53 Mon Sep 17 00:00:00 2001
From: Paul Bakker <p.j.bakker@polarssl.org>
Date: Tue, 31 Dec 2013 11:35:16 +0100
Subject: [PATCH] Fixed potential overflow in certificate size in
 ssl_write_certificate()

---
 ChangeLog         | 2 ++
 library/ssl_tls.c | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 3bc8e9b50..aca990ff5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -11,6 +11,8 @@ Bugfix
    * Fixed x509_crt_parse_path() bug on Windows platforms
    * Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by
      TrustInSoft)
+   * Fixed potential overflow in certificate size verification in
+     ssl_write_certificate() (found by TrustInSoft)
 
 = Version 1.2.10 released 2013-10-07
 Changes
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index a8cc501aa..562f632a9 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2223,7 +2223,7 @@ int ssl_write_certificate( ssl_context *ssl )
     while( crt != NULL )
     {
         n = crt->raw.len;
-        if( i + 3 + n > SSL_MAX_CONTENT_LEN )
+        if( n > SSL_MAX_CONTENT_LEN - 3 - i )
         {
             SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
                            i + 3 + n, SSL_MAX_CONTENT_LEN ) );