Make sure plaintext.max_size() > 2 + serverkey_id_size always

Razvan Cojocaru · Jenkins-dev · commit bfc8f3002971 · 2025-06-23T12:41:07.000Z
Address Coverity complaint.

Signed-off-by: Razvan Cojocaru &lt;razvan.cojocaru@openvpn.com&gt;
diff --git a/openvpn/ssl/proto.hpp b/openvpn/ssl/proto.hpp
@@ -2470,6 +2470,9 @@ class ProtoContext : public logging::LoggingMixin<OPENVPN_DEBUG_PROTO,
                 plaintext.write(&k_id, sizeof(k_id));
             }
 
+            if (plaintext.max_size() <= 2 + serverkey_id_size)
+                return Error::DECRYPT_ERROR;
+
             const size_t decrypt_bytes = tls_crypt_server.decrypt(wkc_raw,
                                                                   plaintext.data() + 2 + serverkey_id_size,
                                                                   plaintext.max_size() - 2 - serverkey_id_size,

Original file line number	Diff line number	Diff line change
`@@ -2470,6 +2470,9 @@ class ProtoContext : public logging::LoggingMixin<OPENVPN_DEBUG_PROTO,`
`2470`	`2470`	`plaintext.write(&k_id, sizeof(k_id));`
`2471`	`2471`	`}`
`2472`	`2472`
	`2473`	`+ if (plaintext.max_size() <= 2 + serverkey_id_size)`
	`2474`	`+ return Error::DECRYPT_ERROR;`
	`2475`	`+`
`2473`	`2476`	`const size_t decrypt_bytes = tls_crypt_server.decrypt(wkc_raw,`
`2474`	`2477`	`plaintext.data() + 2 + serverkey_id_size,`
`2475`	`2478`	`plaintext.max_size() - 2 - serverkey_id_size,`