quic/quic_demux: Mirror int overflow check from demux_alloc_urxe into demux_resize_urxe

Simple hardening. In practice new_alloc_len usually comes from demux->mtu or test injection length, but adding the same check here quiets analyzers.

Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28918)

(cherry picked from commit 965d6279e8fe2ffa5d0a06d11077cd9b721813cd)

diff --git a/ssl/quic/quic_demux.c b/ssl/quic/quic_demux.c
index 88135fe5b9e444a2b9b8aa590d17f5ce6be37b86..29840717cc0bdfdbebcb97df8cc26554eea71352 100644 (file)
--- a/ssl/quic/quic_demux.c
+++ b/ssl/quic/quic_demux.c
@@ -338,6 +338,9 @@ static QUIC_URXE *demux_resize_urxe(QUIC_DEMUX *demux, QUIC_URXE *e,
     prev = ossl_list_urxe_prev(e);
     ossl_list_urxe_remove(&demux->urx_free, e);
 
+    if (new_alloc_len >= SIZE_MAX - sizeof(QUIC_URXE))
+        return NULL;
+
     e2 = OPENSSL_realloc(e, sizeof(QUIC_URXE) + new_alloc_len);
     if (e2 == NULL) {
         /* Failed to resize, abort. */