From cf522314cebda6905c0312f3343cb17fb742e466 Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Thu, 30 Jun 2016 11:41:22 -0600
Subject: [PATCH 1/2] sanity checks

---
 src/internal.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/internal.c b/src/internal.c
index ac9ad5c51..a7c533114 100755
--- a/src/internal.c
+++ b/src/internal.c
@@ -4957,6 +4957,12 @@ int GrowInputBuffer(WOLFSSL* ssl, int size, int usedLength)
        while (align < hdrSz)
            align *= 2;
     }
+
+    if (usedLength < 0 || size < 0) {
+        WOLFSSL_MSG("GrowInputBuffer() called with negative number");
+        return BAD_FUNC_ARG;
+    }
+
     tmp = (byte*) XMALLOC(size + usedLength + align, ssl->heap,
                           DYNAMIC_TYPE_IN_BUFFER);
     WOLFSSL_MSG("growing input buffer\n");
@@ -7753,8 +7759,12 @@ static int DoDtlsHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                                 ssl->keys.dtls_expected_peer_handshake_number) {
         /* Already saw this message and processed it. It can be ignored. */
         *inOutIdx += fragSz;
-        if(type == finished )
+        if(type == finished ) {
+            if (*inOutIdx + ssl->keys.padSz > totalSz) {
+                return BUFFER_E;
+            }
             *inOutIdx += ssl->keys.padSz;
+        }
         ret = DtlsPoolSend(ssl);
     }
     else if (fragSz < size) {

From 8bba628f3f9e6b74cb5a28f3a9bca9a097c7d613 Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Thu, 30 Jun 2016 13:42:38 -0600
Subject: [PATCH 2/2] sanity check in function GetInputData and when shrinking
 buffer

---
 src/internal.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index a7c533114..7efe08934 100755
--- a/src/internal.c
+++ b/src/internal.c
@@ -4814,7 +4814,7 @@ void ShrinkInputBuffer(WOLFSSL* ssl, int forcedFree)
 
     WOLFSSL_MSG("Shrinking input buffer\n");
 
-    if (!forcedFree && usedLength)
+    if (!forcedFree && usedLength > 0)
         XMEMCPY(ssl->buffers.inputBuffer.staticBuffer,
                ssl->buffers.inputBuffer.buffer + ssl->buffers.inputBuffer.idx,
                usedLength);
@@ -8902,14 +8902,16 @@ static int GetInputData(WOLFSSL *ssl, word32 size)
     }
 #endif
 
+    /* check that no lengths or size values are negative */
+    if (usedLength < 0 || maxLength < 0 || inSz <= 0) {
+        return BUFFER_ERROR;
+    }
+
     if (inSz > maxLength) {
         if (GrowInputBuffer(ssl, size + dtlsExtra, usedLength) < 0)
             return MEMORY_E;
     }
 
-    if (inSz <= 0)
-        return BUFFER_ERROR;
-
     /* Put buffer data at start if not there */
     if (usedLength > 0 && ssl->buffers.inputBuffer.idx != 0)
         XMEMMOVE(ssl->buffers.inputBuffer.buffer,