From 66a66c8905ad12e7c1eb4d638bdd19ce5cee00d9 Mon Sep 17 00:00:00 2001
From: toddouska <todd@yassl.com>
Date: Thu, 20 Dec 2012 18:29:25 -0800
Subject: [PATCH 1/5] valgrind needs .sh

---
 Makefile.am | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Makefile.am b/Makefile.am
index d6a47b4c0..74d55b3c8 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -33,6 +33,7 @@ EXTRA_DIST+= cyassl.vcproj
 EXTRA_DIST+= cyassl-iphone.xcodeproj/project.pbxproj
 EXTRA_DIST+= cyassl-ntru.sln
 EXTRA_DIST+= cyassl.sln
+EXTRA_DIST+= valgrind-error.sh
 
 include cyassl/include.am
 include certs/include.am

From 76bbcbb7b201198711ef0bc7d8f7e6e4ab540e06 Mon Sep 17 00:00:00 2001
From: toddouska <todd@yassl.com>
Date: Thu, 20 Dec 2012 18:38:48 -0800
Subject: [PATCH 2/5] fix clang warning on api test

---
 tests/api.c | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/tests/api.c b/tests/api.c
index a38e11d7f..cdeeaf411 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -685,11 +685,6 @@ void test_client_nofail(void* args)
     int  input;
     int  msgSz = (int)strlen(msg);
 
-    int     argc = ((func_args*)args)->argc;
-    char**  argv = ((func_args*)args)->argv;
-    (void)argc;
-    (void)argv;
-
     ((func_args*)args)->return_code = TEST_FAIL;
     method = CyaSSLv23_client_method();
     ctx = CyaSSL_CTX_new(method);

From 6b15443a3b5e60c0542b11302e173a8126f3e027 Mon Sep 17 00:00:00 2001
From: toddouska <todd@yassl.com>
Date: Mon, 24 Dec 2012 14:37:03 -0800
Subject: [PATCH 3/5] fix clang using -pthreads flags on lion or greater

---
 m4/ax_pthread.m4 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/m4/ax_pthread.m4 b/m4/ax_pthread.m4
index e9787ce65..82ae1faf2 100644
--- a/m4/ax_pthread.m4
+++ b/m4/ax_pthread.m4
@@ -159,7 +159,7 @@ case ${host_os} in
         ax_pthread_flags="-pthreads pthread -mt -pthread $ax_pthread_flags"
         ;;
 
-        darwin12*)
+        darwin12* | darwin11.4*)
         ax_pthread_flags="$ax_pthread_flags"
         ;;
 

From 9c58f70e29b1604e1c694d3ac4f22519b7bb8ac2 Mon Sep 17 00:00:00 2001
From: toddouska <todd@yassl.com>
Date: Mon, 24 Dec 2012 15:40:09 -0800
Subject: [PATCH 4/5] add ciphertext size sanity checks

---
 cyassl/error.h |  1 +
 src/internal.c | 36 +++++++++++++++++++++++++++++++++++-
 2 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/cyassl/error.h b/cyassl/error.h
index 1c3909fe7..e46fed4e5 100644
--- a/cyassl/error.h
+++ b/cyassl/error.h
@@ -107,6 +107,7 @@ enum CyaSSL_ErrorCodes {
     SSL_NO_PEM_HEADER      = -272,            /* no PEM header found */
     OUT_OF_ORDER_E         = -273,            /* out of order message */
     BAD_KEA_TYPE_E         = -274,            /* bad KEA type found */
+    SANITY_CIPHER_E        = -275,            /* sanity check on cipher error */
     /* add strings to SetErrorString !!!!! */
 
     /* begin negotiation parameter errors */
diff --git a/src/internal.c b/src/internal.c
index b5b76e16d..e70e90ce6 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -3033,10 +3033,40 @@ static INLINE int Decrypt(CYASSL* ssl, byte* plain, const byte* input,
 }
 
 
+/* check cipher text size for sanity */
+static int SanityCheckCipherText(CYASSL* ssl, word32 encryptSz)
+{
+    word32 minLength = 0;
+
+    if (ssl->specs.cipher_type == block) {
+        if (encryptSz % ssl->specs.block_size) {
+            CYASSL_MSG("Block ciphertext not block size");
+            return SANITY_CIPHER_E;
+        }
+        minLength = ssl->specs.hash_size + 1;  /* pad byte */
+        if (ssl->specs.block_size > minLength)
+            minLength = ssl->specs.block_size;
+    }
+
+    if (encryptSz < minLength) {
+        CYASSL_MSG("Ciphertext not minimum size");
+        return SANITY_CIPHER_E;
+    }
+
+    return 0;
+}
+
+
 /* decrypt input message in place */
 static int DecryptMessage(CYASSL* ssl, byte* input, word32 sz, word32* idx)
 {
-    int decryptResult = Decrypt(ssl, input, input, sz);
+    int decryptResult;
+    int sanityResult = SanityCheckCipherText(ssl, sz);
+
+    if (sanityResult != 0)
+        return sanityResult;
+
+    decryptResult = Decrypt(ssl, input, input, sz);
 
     if (decryptResult == 0)
     {
@@ -4552,6 +4582,10 @@ void SetErrorString(int error, char* str)
         XSTRNCPY(str, "Bad KEA type found", max);
         break;
 
+    case SANITY_CIPHER_E:
+        XSTRNCPY(str, "Sanity check on ciphertext failed", max);
+        break;
+
     default :
         XSTRNCPY(str, "unknown error number", max);
     }

From 59419bef8973829a764054ce460e2aae4eac3d3b Mon Sep 17 00:00:00 2001
From: toddouska <todd@yassl.com>
Date: Wed, 26 Dec 2012 10:11:15 -0800
Subject: [PATCH 5/5] non block type ciphertext sanity checks

---
 src/internal.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/internal.c b/src/internal.c
index e70e90ce6..cd09f3ed8 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -3046,6 +3046,15 @@ static int SanityCheckCipherText(CYASSL* ssl, word32 encryptSz)
         minLength = ssl->specs.hash_size + 1;  /* pad byte */
         if (ssl->specs.block_size > minLength)
             minLength = ssl->specs.block_size;
+
+        if (ssl->options.tls1_1)
+            minLength += ssl->specs.block_size;  /* explicit IV */
+    }
+    else if (ssl->specs.cipher_type == stream) {
+        minLength = ssl->specs.hash_size;
+    }
+    else if (ssl->specs.cipher_type == aead) {
+        minLength = ssl->specs.block_size;   /* actual min? */
     }
 
     if (encryptSz < minLength) {