Commit 965d6279e8 for openssl.org
commit 965d6279e8fe2ffa5d0a06d11077cd9b721813cd
Author: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Sun Oct 12 08:14:24 2025 +0800
quic/quic_demux: Mirror int overflow check from demux_alloc_urxe into demux_resize_urxe
Simple hardening. In practice new_alloc_len usually comes from demux->mtu or test injection length, but adding the same check here quiets analyzers.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša NedvÄ›dický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28918)
diff --git a/ssl/quic/quic_demux.c b/ssl/quic/quic_demux.c
index a84a44c6e9..fd466f9338 100644
--- a/ssl/quic/quic_demux.c
+++ b/ssl/quic/quic_demux.c
@@ -181,6 +181,9 @@ static QUIC_URXE *demux_resize_urxe(QUIC_DEMUX *demux, QUIC_URXE *e,
prev = ossl_list_urxe_prev(e);
ossl_list_urxe_remove(&demux->urx_free, e);
+ if (new_alloc_len >= SIZE_MAX - sizeof(QUIC_URXE))
+ return NULL;
+
e2 = OPENSSL_realloc(e, sizeof(QUIC_URXE) + new_alloc_len);
if (e2 == NULL) {
/* Failed to resize, abort. */