quic/quic_demux: Mirror int overflow check from demux_alloc_urxe into demux_resize_urxe

Simple hardening. In practice new_alloc_len usually comes from demux->mtu or test injection length, but adding the same check here quiets analyzers.

Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28918)

diff --git a/ssl/quic/quic_demux.c b/ssl/quic/quic_demux.c
index a84a44c6e9fb1f9d03d70c4c7135baee157f910f..fd466f933866ff2bf951e1ae678d3ed2a3fd332b 100644 (file)
--- a/ssl/quic/quic_demux.c
+++ b/ssl/quic/quic_demux.c
@@ -181,6 +181,9 @@ static QUIC_URXE *demux_resize_urxe(QUIC_DEMUX *demux, QUIC_URXE *e,
     prev = ossl_list_urxe_prev(e);
     ossl_list_urxe_remove(&demux->urx_free, e);
 
+    if (new_alloc_len >= SIZE_MAX - sizeof(QUIC_URXE))
+        return NULL;
+
     e2 = OPENSSL_realloc(e, sizeof(QUIC_URXE) + new_alloc_len);
     if (e2 == NULL) {
         /* Failed to resize, abort. */