Limit status message sisze in ts_get_status_check

Thanks to Shi Lei for reporting this issue. Reviewed-by: Rich Salz <rsalz@openssl.org>
author: Dr. Stephen Henson <steve@openssl.org> 2016-08-02 21:38:37 +0100
committer: Dr. Stephen Henson <steve@openssl.org> 2016-08-04 17:34:28 +0100
commit: 20fc103f782bb0bcd41d211c6423187b02146b9d (patch)
tree: 1114ec92316d1f4288810078bcfd8849d80d4617 /crypto/ts
parent: acc00492130d53d2d6a25bbe5409240aeba98420 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
index 8ed973bdf8..99f664b431 100644
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@@ -451,12 +451,14 @@ static int ts_check_status_info(TS_RESP *response)
 static char *ts_get_status_text(STACK_OF(ASN1_UTF8STRING) *text)
 {
     int i;
-    unsigned int length = 0;
+    int length = 0;
     char *result = NULL;
     char *p;
 
     for (i = 0; i < sk_ASN1_UTF8STRING_num(text); ++i) {
         ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i);
+        if (ASN1_STRING_length(current) > TS_MAX_STATUS_LENGTH - length - 1)
+            return NULL;
         length += ASN1_STRING_length(current);
         length += 1;            /* separator character */
     }
author	Dr. Stephen Henson <steve@openssl.org>	2016-08-02 21:38:37 +0100
committer	Dr. Stephen Henson <steve@openssl.org>	2016-08-04 17:34:28 +0100
commit	20fc103f782bb0bcd41d211c6423187b02146b9d (patch)
tree	1114ec92316d1f4288810078bcfd8849d80d4617 /crypto/ts
parent	acc00492130d53d2d6a25bbe5409240aeba98420 (diff)