finally got it right

2 files changed, 4 insertions, 1 deletions

diff --git a/skeletons/ber_tlv_length.c b/skeletons/ber_tlv_length.c
index 2baa1a10..5edd3524 100644
--- a/skeletons/ber_tlv_length.c
+++ b/skeletons/ber_tlv_length.c
@@ -51,6 +51,7 @@ ber_fetch_length(int _is_constructed, const void *bufptr, size_t size,
 		}
 
 		if(oct == 0) {
+			ber_tlv_len_t lenplusepsilon = len + 1024;
 			/*
 			 * Here length may be very close or equal to 2G.
 			 * However, the arithmetics used in some decoders
@@ -58,7 +59,7 @@ ber_fetch_length(int _is_constructed, const void *bufptr, size_t size,
 			 * to check the resulting value against some limits.
 			 * This may result in integer wrap-around.
 			 */
-			if((len + 1024) < len - 1024) {
+			if(lenplusepsilon < 0) {
 				/* Too large length value */
 				return -1;
 			}
diff --git a/skeletons/tests/check-length.c b/skeletons/tests/check-length.c
index 6dfc7aee..312e0370 100644
--- a/skeletons/tests/check-length.c
+++ b/skeletons/tests/check-length.c
@@ -112,9 +112,11 @@ main() {
 	 * Here although tlv_len is not greater than 2^31,
 	 * we ought to hit an embedded length exploitation preventive check.
 	 */
+	printf("sizeof(tlv_len) = %d\n", (int)sizeof(tlv_len));
 	if(sizeof(tlv_len) <= 4) {
 		ret = ber_fetch_length(0, buf3, sizeof(buf3), &tlv_len);
 		printf("ret=%ld\n", (long)ret);
+		printf("len=0x%x\n", (long)tlv_len);
 		assert(ret == -1);
 	}
 	if(sizeof(tlv_len) <= 8) {