From 6a57b13a2c90fe963053d2dfc5b4cdb6ea66d8af Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Wed, 6 Jun 2018 12:45:13 +0200
Subject: Fix variable overflow in TLS1.3 session ticket code

---
 lib/tls13/session_ticket.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/tls13/session_ticket.c b/lib/tls13/session_ticket.c
index 8515b9cb19..dfe4992669 100644
--- a/lib/tls13/session_ticket.c
+++ b/lib/tls13/session_ticket.c
@@ -312,6 +312,7 @@ int _gnutls13_recv_session_ticket(gnutls_session_t session, gnutls_buffer_st *bu
 	uint8_t value;
 	tls13_ticket_t *ticket = &session->internals.tls13_ticket;
 	gnutls_datum_t t;
+	size_t val;
 
 	if (unlikely(buf == NULL))
 		return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
@@ -322,14 +323,16 @@ int _gnutls13_recv_session_ticket(gnutls_session_t session, gnutls_buffer_st *bu
 	_gnutls_handshake_log("HSK[%p]: parsing session ticket message\n", session);
 
 	/* ticket_lifetime */
-	ret = _gnutls_buffer_pop_prefix32(buf, (size_t *) &ticket->lifetime, 0);
+	ret = _gnutls_buffer_pop_prefix32(buf, &val, 0);
 	if (ret < 0)
 		return gnutls_assert_val(ret);
+	ticket->lifetime = val;
 
 	/* ticket_age_add */
-	ret = _gnutls_buffer_pop_prefix32(buf, (size_t *) &ticket->age_add, 0);
+	ret = _gnutls_buffer_pop_prefix32(buf, &val, 0);
 	if (ret < 0)
 		return gnutls_assert_val(ret);
+	ticket->age_add = val;
 
 	/* ticket_nonce */
 	ret = _gnutls_buffer_pop_prefix8(buf, &value, 0);
-- 
cgit v1.2.1