Validate ClientHello extension field length

RT#4069

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index d70b93feadf0bd8198db02a015aa9bd9c6ebf9e8..ef6c6fa270b1490ce24c3615c81e34660a52dcdc 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1024,7 +1024,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
 
     n2s(data, len);
 
-    if (data > (d + n - len))
+    if (data + len != d + n)
         goto err;
 
     while (data <= (d + n - 4)) {