From: Hugo Landau <hlandau@openssl.org>
Date: Thu, 27 Jul 2023 15:11:45 +0000 (+0100)
Subject: QUIC QTX: Handle negative IV values correctly (coverity)
X-Git-Tag: openssl-3.2.0-alpha1~233
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a2d4915ab2730797f97c90a127084a668733c96c;p=thirdparty%2Fopenssl.git

QUIC QTX: Handle negative IV values correctly (coverity)

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21565)
---

diff --git a/ssl/quic/quic_record_tx.c b/ssl/quic/quic_record_tx.c
index 68142ad6cf8..09056ecddcd 100644
--- a/ssl/quic/quic_record_tx.c
+++ b/ssl/quic/quic_record_tx.c
@@ -472,11 +472,11 @@ static int qtx_encrypt_into_txe(OSSL_QTX *qtx, struct iovec_cur *cur, TXE *txe,
                                 const unsigned char *hdr, size_t hdr_len,
                                 QUIC_PKT_HDR_PTRS *ptrs)
 {
-    int l = 0, l2 = 0;
+    int l = 0, l2 = 0, nonce_len;
     OSSL_QRL_ENC_LEVEL *el
         = ossl_qrl_enc_level_set_get(&qtx->el_set, enc_level, 1);
     unsigned char nonce[EVP_MAX_IV_LENGTH];
-    size_t nonce_len, i;
+    size_t i;
     EVP_CIPHER_CTX *cctx = NULL;
 
     /* We should not have been called if we do not have key material. */
@@ -501,10 +501,10 @@ static int qtx_encrypt_into_txe(OSSL_QTX *qtx, struct iovec_cur *cur, TXE *txe,
 
     /* Construct nonce (nonce=IV ^ PN). */
     nonce_len = EVP_CIPHER_CTX_get_iv_length(cctx);
-    if (!ossl_assert(nonce_len >= sizeof(QUIC_PN)))
+    if (!ossl_assert(nonce_len >= (int)sizeof(QUIC_PN)))
         return 0;
 
-    memcpy(nonce, el->iv[0], nonce_len);
+    memcpy(nonce, el->iv[0], (size_t)nonce_len);
     for (i = 0; i < sizeof(QUIC_PN); ++i)
         nonce[nonce_len - i - 1] ^= (unsigned char)(pn >> (i * 8));