From f715d9179cfe19bd1bc5c5a038837db9565bf3fa Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Wed, 12 Dec 2018 12:48:30 -0800
Subject: [PATCH] Add check for buffer size versus pad size in
 DoCertificateStatus()

---
 src/internal.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/internal.c b/src/internal.c
index 281bab816..f88e60396 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -10252,8 +10252,11 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx,
     if (ret != 0)
         SendAlert(ssl, alert_fatal, bad_certificate_status_response);
 
-    if (IsEncryptionOn(ssl, 0))
+    if (IsEncryptionOn(ssl, 0)) {
+        if (*inOutIdx + ssl->keys.padSz > size)
+            return BUFFER_E;
         *inOutIdx += ssl->keys.padSz;
+    }
 
     WOLFSSL_LEAVE("DoCertificateStatus", ret);
     WOLFSSL_END(WC_FUNC_CERTIFICATE_STATUS_DO);