From: Matt Caswell <matt@openssl.org>
Date: Mon, 25 May 2015 23:05:28 +0000 (+0100)
Subject: Don't check for a negative SRP extension size
X-Git-Tag: OpenSSL_1_0_1n~35
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=029e8f3ac9d54133c37145ad8d86208f0ffa26fa;p=oweals%2Fopenssl.git

Don't check for a negative SRP extension size

The size of the SRP extension can never be negative (the variable
|size| is unsigned). Therefore don't check if it is less than zero.

RT#3862

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 9c89d290834f3ed9146eeb8b64fe5de817679a0b)
---

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 1ad25078c1..36ea9b0a09 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1134,7 +1134,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
         }
 # ifndef OPENSSL_NO_SRP
         else if (type == TLSEXT_TYPE_srp) {
-            if (size <= 0 || ((len = data[0])) != (size - 1)) {
+            if (size == 0 || ((len = data[0])) != (size - 1)) {
                 *al = SSL_AD_DECODE_ERROR;
                 return 0;
             }