From: Eugene Syromiatnikov <esyr@openssl.org>
Date: Fri, 29 Aug 2025 08:02:39 +0000 (+0200)
Subject: crypto/rand/randfile.c: avoid signed integer overflow in RAND_load_file
X-Git-Tag: openssl-3.4.3~42
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5473955b3015d3ca49c040e5cf6ab9cd6bcdc1c8;p=thirdparty%2Fopenssl.git

crypto/rand/randfile.c: avoid signed integer overflow in RAND_load_file

If a file supplied to RAND_load_file is too big (more than INT_MAX bytes),
it is possible to trigger a signer integer overflow during ret calculation.
Avoid it by returning early when we are about to hit it on the next
iteration.

Reported-by: Liu-Ermeng <liuermeng2@huawei.com>
Resolves: https://github.com/openssl/openssl/issues/28375
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28379)

(cherry picked from commit 35db6a15d436aa4d981ebcd581eded55fc8c8fb6)
---

diff --git a/crypto/rand/randfile.c b/crypto/rand/randfile.c
index 9337b36dc8b..adfdb0f414e 100644
--- a/crypto/rand/randfile.c
+++ b/crypto/rand/randfile.c
@@ -167,6 +167,10 @@ int RAND_load_file(const char *file, long bytes)
         /* If given a bytecount, and we did it, break. */
         if (bytes > 0 && (bytes -= i) <= 0)
             break;
+
+        /* We can hit a signed integer overflow on the next iteration */
+        if (ret > INT_MAX - RAND_LOAD_BUF_SIZE)
+            break;
     }
 
     OPENSSL_cleanse(buf, sizeof(buf));
diff --git a/doc/man3/RAND_load_file.pod b/doc/man3/RAND_load_file.pod
index baca54cb3c8..fd00bf883d4 100644
--- a/doc/man3/RAND_load_file.pod
+++ b/doc/man3/RAND_load_file.pod
@@ -20,6 +20,8 @@ RAND_load_file() reads a number of bytes from file B<filename> and
 adds them to the PRNG. If B<max_bytes> is nonnegative,
 up to B<max_bytes> are read;
 if B<max_bytes> is -1, the complete file is read.
+RAND_load_file() can read less than the complete file or the requested number
+of bytes if it doesn't fit in the return value type.
 Do not load the same file multiple times unless its contents have
 been updated by RAND_write_file() between reads.
 Also, note that B<filename> should be adequately protected so that an