From: Hugo Landau <hlandau@openssl.org>
Date: Thu, 27 Jul 2023 15:05:18 +0000 (+0100)
Subject: QUIC QRX: Handle negative IV length values correctly (coverity)
X-Git-Tag: openssl-3.2.0-alpha1~235
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b538ae4fbf1d9c800d2ed1cc6c317b36572ec7bb;p=thirdparty%2Fopenssl.git

QUIC QRX: Handle negative IV length values correctly (coverity)

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21565)
---

diff --git a/ssl/quic/quic_record_rx.c b/ssl/quic/quic_record_rx.c
index feb32d92725..4f4a1b84a9b 100644
--- a/ssl/quic/quic_record_rx.c
+++ b/ssl/quic/quic_record_rx.c
@@ -685,9 +685,9 @@ static int qrx_decrypt_pkt_body(OSSL_QRX *qrx, unsigned char *dst,
                                 unsigned char key_phase_bit,
                                 uint64_t *rx_key_epoch)
 {
-    int l = 0, l2 = 0, is_old_key;
+    int l = 0, l2 = 0, is_old_key, nonce_len;
     unsigned char nonce[EVP_MAX_IV_LENGTH];
-    size_t nonce_len, i, cctx_idx;
+    size_t i, cctx_idx;
     OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(&qrx->el_set,
                                                         enc_level, 1);
     EVP_CIPHER_CTX *cctx;
@@ -731,7 +731,7 @@ static int qrx_decrypt_pkt_body(OSSL_QRX *qrx, unsigned char *dst,
 
     /* Construct nonce (nonce=IV ^ PN). */
     nonce_len = EVP_CIPHER_CTX_get_iv_length(cctx);
-    if (!ossl_assert(nonce_len >= sizeof(QUIC_PN)))
+    if (!ossl_assert(nonce_len >= (int)sizeof(QUIC_PN)))
         return 0;
 
     memcpy(nonce, el->iv[cctx_idx], nonce_len);