From 8b0d4242404f9e5da26e7594fa0864b2df4601af Mon Sep 17 00:00:00 2001
From: Andy Polyakov <appro@openssl.org>
Date: Thu, 2 Mar 2017 16:56:44 +0100
Subject: [PATCH] apps/s_client.c: harden ldap_ExtendedResponse_parse.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
---
 apps/s_client.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apps/s_client.c b/apps/s_client.c
index b48c3066a7..e180772e7f 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -3091,6 +3091,8 @@ static int ldap_ExtendedResponse_parse(const char *buf, long rem)
         goto end;
     }
 
+    rem = len;  /* ensure that we don't overstep the SEQUENCE */
+
     /* pull MessageID */
     inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
     if (inf != V_ASN1_UNIVERSAL || tag != V_ASN1_INTEGER ||
-- 
2.25.1