Fix potential overflow in CertificateRequest

commit: d64f1ad98b40417d583b80e23b646737cf086dcf [log] [tgz]
author: Manuel Pégourié-Gonnard <mpg2@elzevir.fr> Fri Oct 02 11:16:47 2015 +0200
committer: Manuel Pégourié-Gonnard <mpg2@elzevir.fr> Fri Oct 02 12:36:02 2015 +0200
tree: 9719d6c4c8784d49e69a7809851d8b04bcb23437
parent: 9a656a0aaa2ee184fc59a2a4dd1dcf6d1d536c43 [diff] [blame]
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index cd9802a..2f4ae69 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c

@@ -923,6 +923,7 @@
     size_t n = 0, dn_size, total_dn_size;
     unsigned char *buf, *p;
     const x509_cert *crt;
+    const unsigned char * const end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
 
     SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
 
@@ -987,10 +988,14 @@
     total_dn_size = 0;
     while( crt != NULL && crt->version != 0)
     {
-        if( p - buf > 4096 )
-            break;
-
         dn_size = crt->subject_raw.len;
+
+        if( end < p || (size_t)( end - p ) < 2 + dn_size )
+        {
+            SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
+            break;
+        }
+
         *p++ = (unsigned char)( dn_size >> 8 );
         *p++ = (unsigned char)( dn_size      );
         memcpy( p, crt->subject_raw.p, dn_size );
commit	d64f1ad98b40417d583b80e23b646737cf086dcf	[log] [tgz]
author	Manuel Pégourié-Gonnard <mpg2@elzevir.fr>	Fri Oct 02 11:16:47 2015 +0200
committer	Manuel Pégourié-Gonnard <mpg2@elzevir.fr>	Fri Oct 02 12:36:02 2015 +0200
tree	9719d6c4c8784d49e69a7809851d8b04bcb23437
parent	9a656a0aaa2ee184fc59a2a4dd1dcf6d1d536c43 [diff] [blame]