diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-12-15 23:06:38 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-12-15 23:06:38 +0000 |
| commit | 9fff9aab4bd3a8fe3ae28451d23b789fd1193769 (patch) | |
| tree | 482f1ed05a6d2680517fb2a3c0b8d56cab901d4d /net/third_party/nss | |
| parent | 150ca3940c2b9f7b8f8cb2732ffc5d57f46b94e0 (diff) | |
| download | chromium_src-9fff9aab4bd3a8fe3ae28451d23b789fd1193769.zip chromium_src-9fff9aab4bd3a8fe3ae28451d23b789fd1193769.tar.gz chromium_src-9fff9aab4bd3a8fe3ae28451d23b789fd1193769.tar.bz2 | |
SSL: fix overflow error.
In the previous code, the addition was performed as an unsigned char. This
means that a value of 255 would wrap to 0 and throw us into a loop.
BUG=none
TEST=Have the server send an NPN extension with an element of length 255.
http://codereview.chromium.org/500032
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@34621 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/third_party/nss')
| -rw-r--r-- | net/third_party/nss/ssl/ssl3ext.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3ext.c index 0365d5a..7b8c646 100644 --- a/net/third_party/nss/ssl/ssl3ext.c +++ b/net/third_party/nss/ssl/ssl3ext.c @@ -440,7 +440,7 @@ ssl3_ValidateNextProtoNego(const unsigned char* data, unsigned short length) if (data[offset] == 0) { return SECFailure; } - offset += data[offset] + 1; + offset += (unsigned int)data[offset] + 1; } if (offset > length) @@ -479,10 +479,10 @@ ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type, result = &data->data[i]; goto found; } - j += ss->opt.nextProtoNego.data[j] + 1; + j += (unsigned int)ss->opt.nextProtoNego.data[j] + 1; } - i += data->data[i] + 1; + i += (unsigned int)data->data[i] + 1; } pick_first: |