On Thu, Jul 10, 2014 at 11:26:46AM +0200, Chaney, Benjamin via RT wrote: > Hello, > I have been looking at the OpenSSL source code, and this jumped out as a > possible error. 'n?? is an unsigned before it is passed into ssl3_read_n, > which causes the worry of an overflow. To prevent this, I added check that > just makes sure that n is not less than zero, which wouldn't make sense > anyway. This is my first time posting a change for OpenSSL, so please > forgive any formatting errors.
n is signed: 139 int ssl3_read_n(SSL *s, int n, int max, int extend) and the checks 153 if (n <= 0) return n; and 200 if (left > 0 && n > left) 201 n = left; make sure n > 0 already. -Otto > Thanks, > Ben Chaney > > > diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c > index 8fc3bb4..1d0bc6a 100644 > --- a/ssl/s3_pkt.c > +++ b/ssl/s3_pkt.c > @@ -224,7 +224,7 @@ int ssl3_read_n(SSL *s, int n, int max, int extend) > rb->offset = len + align; > } > > - if (n > (int)(rb->len - rb->offset)) /* does not happen */ > + if ( (n > (int)(rb->len - rb->offset)) || (n < 0) ) /* does not > happen */ > { > SSLerr(SSL_F_SSL3_READ_N,ERR_R_INTERNAL_ERROR); > return -1; > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org