From: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Sun, 12 Oct 2025 00:14:24 +0000 (+0800)
Subject: quic/quic_demux: Mirror int overflow check from demux_alloc_urxe into demux_resize_urxe
X-Git-Tag: 4.0-PRE-CLANG-FORMAT-WEBKIT~192
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=965d6279e8fe2ffa5d0a06d11077cd9b721813cd;p=thirdparty%2Fopenssl.git

quic/quic_demux: Mirror int overflow check from demux_alloc_urxe into demux_resize_urxe

Simple hardening. In practice new_alloc_len usually comes from demux->mtu or test injection length, but adding the same check here quiets analyzers.

Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28918)
---

diff --git a/ssl/quic/quic_demux.c b/ssl/quic/quic_demux.c
index a84a44c6e9f..fd466f93386 100644
--- a/ssl/quic/quic_demux.c
+++ b/ssl/quic/quic_demux.c
@@ -181,6 +181,9 @@ static QUIC_URXE *demux_resize_urxe(QUIC_DEMUX *demux, QUIC_URXE *e,
     prev = ossl_list_urxe_prev(e);
     ossl_list_urxe_remove(&demux->urx_free, e);
 
+    if (new_alloc_len >= SIZE_MAX - sizeof(QUIC_URXE))
+        return NULL;
+
     e2 = OPENSSL_realloc(e, sizeof(QUIC_URXE) + new_alloc_len);
     if (e2 == NULL) {
         /* Failed to resize, abort. */