finally got it right

skeletons/ber_tlv_length.c

@@ -51,6 +51,7 @@ ber_fetch_length(int _is_constructed, const void *bufptr, size_t size,
 		}
 
 		if(oct == 0) {
+			ber_tlv_len_t lenplusepsilon = len + 1024;
 			/*
 			 * Here length may be very close or equal to 2G.
 			 * However, the arithmetics used in some decoders
@@ -58,7 +59,7 @@ ber_fetch_length(int _is_constructed, const void *bufptr, size_t size,
 			 * to check the resulting value against some limits.
 			 * This may result in integer wrap-around.
 			 */
-			if((len + 1024) < len - 1024) {
+			if(lenplusepsilon < 0) {
 				/* Too large length value */
 				return -1;
 			}

skeletons/tests/check-length.c

@@ -112,9 +112,11 @@ main() {
 	 * Here although tlv_len is not greater than 2^31,
 	 * we ought to hit an embedded length exploitation preventive check.
 	 */
+	printf("sizeof(tlv_len) = %d\n", (int)sizeof(tlv_len));
 	if(sizeof(tlv_len) <= 4) {
 		ret = ber_fetch_length(0, buf3, sizeof(buf3), &tlv_len);
 		printf("ret=%ld\n", (long)ret);
+		printf("len=0x%x\n", (long)tlv_len);
 		assert(ret == -1);
 	}
 	if(sizeof(tlv_len) <= 8) {