Integer overflow in s2n_hybrid_server_key_recv_read_data() size calculation

[cpsource]

Summary

In tls/s2n_server_key_exchange.c line 231, inside s2n_hybrid_server_key_recv_read_data(), two uint32_t size values are added without using the library's overflow-checked arithmetic helper:

total_data_to_verify->size = data_to_verify_0.size + data_to_verify_1.size;

If both .size values are large enough, their sum silently wraps around due to unsigned integer overflow, resulting in a smaller-than-expected total_data_to_verify->size. This could lead to incorrect buffer sizing for subsequent signature verification.

Suggested Fix

Use s2n_add_overflow() consistent with the library's safety patterns elsewhere:

RESULT_GUARD_POSIX(s2n_add_overflow(data_to_verify_0.size, data_to_verify_1.size, &total_data_to_verify->size));

Impact

While unlikely to be triggered under normal TLS traffic due to protocol-level size constraints, this is inconsistent with the library's defensive arithmetic patterns and could theoretically be exploited via crafted hybrid key exchange data.

Additional Context

A similar unchecked addition exists at line 136 in s2n_dhe_server_key_recv_read_data():

data_to_verify->size = 2 + p_length + 2 + g_length + 2 + Ys_length;

Found during code review.