From 965d6279e8fe2ffa5d0a06d11077cd9b721813cd Mon Sep 17 00:00:00 2001
From: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Sun, 12 Oct 2025 08:14:24 +0800
Subject: [PATCH] quic/quic_demux: Mirror int overflow check from
 demux_alloc_urxe into demux_resize_urxe
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Simple hardening. In practice new_alloc_len usually comes from demux->mtu or test injection length, but adding the same check here quiets analyzers.

Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28918)
---
 ssl/quic/quic_demux.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ssl/quic/quic_demux.c b/ssl/quic/quic_demux.c
index a84a44c6e9f..fd466f93386 100644
--- a/ssl/quic/quic_demux.c
+++ b/ssl/quic/quic_demux.c
@@ -181,6 +181,9 @@ static QUIC_URXE *demux_resize_urxe(QUIC_DEMUX *demux, QUIC_URXE *e,
     prev = ossl_list_urxe_prev(e);
     ossl_list_urxe_remove(&demux->urx_free, e);
 
+    if (new_alloc_len >= SIZE_MAX - sizeof(QUIC_URXE))
+        return NULL;
+
     e2 = OPENSSL_realloc(e, sizeof(QUIC_URXE) + new_alloc_len);
     if (e2 == NULL) {
         /* Failed to resize, abort. */
-- 
2.47.3