From c2c0b1519184b9c58299f480da06dff68067eb9d Mon Sep 17 00:00:00 2001
From: doug <doug@openbsd.org>
Date: Wed, 29 Apr 2015 01:39:32 +0000
Subject: [PATCH] Added len_len error checking for internal cbb_buffer_add_u().

ok jsing@
---
 lib/libssl/bs_cbb.c         | 5 ++++-
 lib/libssl/src/ssl/bs_cbb.c | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/libssl/bs_cbb.c b/lib/libssl/bs_cbb.c
index 5546fac97f0..7f0e474dede 100644
--- a/lib/libssl/bs_cbb.c
+++ b/lib/libssl/bs_cbb.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: bs_cbb.c,v 1.5 2015/02/07 06:10:32 doug Exp $	*/
+/*	$OpenBSD: bs_cbb.c,v 1.6 2015/04/29 01:39:32 doug Exp $	*/
 /*
  * Copyright (c) 2014, Google Inc.
  *
@@ -127,6 +127,9 @@ cbb_buffer_add_u(struct cbb_buffer_st *base, uint32_t v, size_t len_len)
 	if (len_len == 0)
 		return 1;
 
+	if (len_len > 4)
+		return 0;
+
 	if (!cbb_buffer_add(base, &buf, len_len))
 		return 0;
 
diff --git a/lib/libssl/src/ssl/bs_cbb.c b/lib/libssl/src/ssl/bs_cbb.c
index 5546fac97f0..7f0e474dede 100644
--- a/lib/libssl/src/ssl/bs_cbb.c
+++ b/lib/libssl/src/ssl/bs_cbb.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: bs_cbb.c,v 1.5 2015/02/07 06:10:32 doug Exp $	*/
+/*	$OpenBSD: bs_cbb.c,v 1.6 2015/04/29 01:39:32 doug Exp $	*/
 /*
  * Copyright (c) 2014, Google Inc.
  *
@@ -127,6 +127,9 @@ cbb_buffer_add_u(struct cbb_buffer_st *base, uint32_t v, size_t len_len)
 	if (len_len == 0)
 		return 1;
 
+	if (len_len > 4)
+		return 0;
+
 	if (!cbb_buffer_add(base, &buf, len_len))
 		return 0;
 
-- 
2.20.1