Fix variable overflow in TLS1.3 session ticket code

author: Tim Rühsen <tim.ruehsen@gmx.de> 2018-06-06 12:45:13 +0200
committer: Tim Rühsen <tim.ruehsen@gmx.de> 2018-06-06 13:05:33 +0200
commit: 6a57b13a2c90fe963053d2dfc5b4cdb6ea66d8af (patch)
tree: 93ced71764fa9d8f7acdc8a992f9ea5358f0c1b0
parent: 49ab842741b63b11d1d43de65ead70bc911cce63 (diff)
download: gnutls-6a57b13a2c90fe963053d2dfc5b4cdb6ea66d8af.tar.gz
1 files changed, 5 insertions, 2 deletions
diff --git a/lib/tls13/session_ticket.c b/lib/tls13/session_ticket.c
index 8515b9cb19..dfe4992669 100644
--- a/lib/tls13/session_ticket.c
+++ b/lib/tls13/session_ticket.c
@@ -312,6 +312,7 @@ int _gnutls13_recv_session_ticket(gnutls_session_t session, gnutls_buffer_st *bu
 	uint8_t value;
 	tls13_ticket_t *ticket = &session->internals.tls13_ticket;
 	gnutls_datum_t t;
+	size_t val;
 
 	if (unlikely(buf == NULL))
 		return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
@@ -322,14 +323,16 @@ int _gnutls13_recv_session_ticket(gnutls_session_t session, gnutls_buffer_st *bu
 	_gnutls_handshake_log("HSK[%p]: parsing session ticket message\n", session);
 
 	/* ticket_lifetime */
-	ret = _gnutls_buffer_pop_prefix32(buf, (size_t *) &ticket->lifetime, 0);
+	ret = _gnutls_buffer_pop_prefix32(buf, &val, 0);
 	if (ret < 0)
 		return gnutls_assert_val(ret);
+	ticket->lifetime = val;
 
 	/* ticket_age_add */
-	ret = _gnutls_buffer_pop_prefix32(buf, (size_t *) &ticket->age_add, 0);
+	ret = _gnutls_buffer_pop_prefix32(buf, &val, 0);
 	if (ret < 0)
 		return gnutls_assert_val(ret);
+	ticket->age_add = val;
 
 	/* ticket_nonce */
 	ret = _gnutls_buffer_pop_prefix8(buf, &value, 0);
author	Tim Rühsen <tim.ruehsen@gmx.de>	2018-06-06 12:45:13 +0200
committer	Tim Rühsen <tim.ruehsen@gmx.de>	2018-06-06 13:05:33 +0200
commit	6a57b13a2c90fe963053d2dfc5b4cdb6ea66d8af (patch)
tree	93ced71764fa9d8f7acdc8a992f9ea5358f0c1b0
parent	49ab842741b63b11d1d43de65ead70bc911cce63 (diff)
download	gnutls-6a57b13a2c90fe963053d2dfc5b4cdb6ea66d8af.tar.gz