From b538ae4fbf1d9c800d2ed1cc6c317b36572ec7bb Mon Sep 17 00:00:00 2001
From: Hugo Landau <hlandau@openssl.org>
Date: Thu, 27 Jul 2023 16:05:18 +0100
Subject: QUIC QRX: Handle negative IV length values correctly (coverity)

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21565)
---
 ssl/quic/quic_record_rx.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'ssl/quic/quic_record_rx.c')

diff --git a/ssl/quic/quic_record_rx.c b/ssl/quic/quic_record_rx.c
index feb32d9272..4f4a1b84a9 100644
--- a/ssl/quic/quic_record_rx.c
+++ b/ssl/quic/quic_record_rx.c
@@ -685,9 +685,9 @@ static int qrx_decrypt_pkt_body(OSSL_QRX *qrx, unsigned char *dst,
                                 unsigned char key_phase_bit,
                                 uint64_t *rx_key_epoch)
 {
-    int l = 0, l2 = 0, is_old_key;
+    int l = 0, l2 = 0, is_old_key, nonce_len;
     unsigned char nonce[EVP_MAX_IV_LENGTH];
-    size_t nonce_len, i, cctx_idx;
+    size_t i, cctx_idx;
     OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(&qrx->el_set,
                                                         enc_level, 1);
     EVP_CIPHER_CTX *cctx;
@@ -731,7 +731,7 @@ static int qrx_decrypt_pkt_body(OSSL_QRX *qrx, unsigned char *dst,
 
     /* Construct nonce (nonce=IV ^ PN). */
     nonce_len = EVP_CIPHER_CTX_get_iv_length(cctx);
-    if (!ossl_assert(nonce_len >= sizeof(QUIC_PN)))
+    if (!ossl_assert(nonce_len >= (int)sizeof(QUIC_PN)))
         return 0;
 
     memcpy(nonce, el->iv[cctx_idx], nonce_len);
-- 
cgit v1.2.3