From: Eugene Syromiatnikov <esyr@openssl.org>
Date: Thu, 17 Jul 2025 13:10:25 +0000 (+0200)
Subject: crypto/params_dup.c: add overflow check to ossl_param_buf_alloc
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=731fc629085d9dfc43c073e3e2e0ce6ce5e16349;p=thirdparty%2Fopenssl.git

crypto/params_dup.c: add overflow check to ossl_param_buf_alloc

Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28059)
---

diff --git a/crypto/params_dup.c b/crypto/params_dup.c
index 2087327658..cf432ef42d 100644
--- a/crypto/params_dup.c
+++ b/crypto/params_dup.c
@@ -10,6 +10,7 @@
 #include <string.h>
 #include <openssl/params.h>
 #include <openssl/param_build.h>
+#include "internal/mem_alloc_utils.h"
 #include "internal/param_build_set.h"
 
 #define OSSL_PARAM_ALLOCATED_END    127
@@ -34,7 +35,13 @@ size_t ossl_param_bytes_to_blocks(size_t bytes)
 static int ossl_param_buf_alloc(OSSL_PARAM_BUF *out, size_t extra_blocks,
                                 int is_secure)
 {
-    size_t sz = OSSL_PARAM_ALIGN_SIZE * (extra_blocks + out->blocks);
+    size_t num_blocks, sz = 0;
+
+    if (ossl_unlikely(!ossl_size_add(extra_blocks, out->blocks, &num_blocks,
+                                     OPENSSL_FILE, OPENSSL_LINE)
+                      || !ossl_size_mul(num_blocks, OSSL_PARAM_ALIGN_SIZE, &sz,
+                                        OPENSSL_FILE, OPENSSL_LINE)))
+        return 0;
 
     out->alloc = is_secure ? OPENSSL_secure_zalloc(sz) : OPENSSL_zalloc(sz);
     if (out->alloc == NULL)
diff --git a/include/internal/mem_alloc_utils.h b/include/internal/mem_alloc_utils.h
index 7b259481ef..22c946c6df 100644
--- a/include/internal/mem_alloc_utils.h
+++ b/include/internal/mem_alloc_utils.h
@@ -82,4 +82,23 @@ ossl_size_mul(const size_t num, const size_t size, size_t *bytes,
     return true;
 }
 
+/*
+ * Check the result of size1 and size2 addition for overflow
+ * and set error if it is the case.
+ */
+static ossl_inline ossl_unused bool
+ossl_size_add_of(const size_t size1, const size_t size2, size_t *bytes,
+                 const char * const file, const int line)
+{
+    *bytes = size1 + size2;
+
+    if (ossl_unlikely(*bytes < size1)) {
+        ossl_report_alloc_err_of(file, line);
+
+        return true;
+    }
+
+    return false;
+}
+
 #endif /* OSSL_INTERNAL_CHECK_SIZE_OVERFLOW_H */
diff --git a/ssl/quic/quic_txp.c b/ssl/quic/quic_txp.c
index 2920098b2d..c93987e798 100644
--- a/ssl/quic/quic_txp.c
+++ b/ssl/quic/quic_txp.c
@@ -3160,7 +3160,7 @@ static int txp_el_ensure_iovec(struct txp_el *el, size_t num)
 
     num = el->alloc_iovec != 0 ? el->alloc_iovec * 2 : 8;
 
-    iovec = OPENSSL_realloc(el->iovec, sizeof(OSSL_QTX_IOVEC) * num);
+    iovec = OPENSSL_realloc_array(el->iovec, num, sizeof(OSSL_QTX_IOVEC));
     if (iovec == NULL)
         return 0;