From 7630b1d222d3533996f8615417807746f21004a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es?= <moisesguimaraesm@gmail.com>
Date: Mon, 10 Mar 2014 12:16:58 -0300
Subject: [PATCH] Boundaries check for DoHelloVerifyRequest. -- added size in
 the function parameters; -- BUFFER_ERROR returned in case of message overflow
 (piece larger than the message size); -- OPAQUE16_LEN used where 2 bytes are
 needed.

---
 src/internal.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index 5ca122db0..37ae4e6ee 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -69,7 +69,8 @@ CYASSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS
 
 
 #ifndef NO_CYASSL_CLIENT
-    static int DoHelloVerifyRequest(CYASSL* ssl, const byte* input, word32*);
+    static int DoHelloVerifyRequest(CYASSL* ssl, const byte* input, word32*,
+                                                                        word32);
     static int DoServerHello(CYASSL* ssl, const byte* input, word32*, word32);
     static int DoServerKeyExchange(CYASSL* ssl, const byte* input, word32*);
     #ifndef NO_CERTS
@@ -3789,7 +3790,7 @@ static int DoHandShakeMsgType(CYASSL* ssl, byte* input, word32* inOutIdx,
 #ifndef NO_CYASSL_CLIENT
     case hello_verify_request:
         CYASSL_MSG("processing hello verify request");
-        ret = DoHelloVerifyRequest(ssl, input,inOutIdx);
+        ret = DoHelloVerifyRequest(ssl, input,inOutIdx, size);
         break;
             
     case server_hello:
@@ -7444,27 +7445,36 @@ static void PickHashSigAlgo(CYASSL* ssl,
 
 
     static int DoHelloVerifyRequest(CYASSL* ssl, const byte* input,
-                                    word32* inOutIdx)
+                                    word32* inOutIdx, word32 size)
     {
         ProtocolVersion pv;
         byte            cookieSz;
+        word32          begin = *inOutIdx;
         
 #ifdef CYASSL_CALLBACKS
         if (ssl->hsInfoOn) AddPacketName("HelloVerifyRequest",
                                          &ssl->handShakeInfo);
         if (ssl->toInfoOn) AddLateName("HelloVerifyRequest", &ssl->timeoutInfo);
 #endif
+
 #ifdef CYASSL_DTLS
         if (ssl->options.dtls) {
             DtlsPoolReset(ssl);
         }
 #endif
-        XMEMCPY(&pv, input + *inOutIdx, sizeof(pv));
-        *inOutIdx += (word32)sizeof(pv);
         
+        if ((*inOutIdx - begin) + OPAQUE16_LEN + OPAQUE8_LEN > size)
+            return BUFFER_ERROR;
+
+        XMEMCPY(&pv, input + *inOutIdx, OPAQUE16_LEN);
+        *inOutIdx += OPAQUE16_LEN;
+
         cookieSz = input[(*inOutIdx)++];
         
         if (cookieSz) {
+            if ((*inOutIdx - begin) + cookieSz > size)
+                return BUFFER_ERROR;
+
 #ifdef CYASSL_DTLS
             if (cookieSz <= MAX_COOKIE_LEN) {
                 XMEMCPY(ssl->arrays->cookie, input + *inOutIdx, cookieSz);