diff --git a/src/internal.c b/src/internal.c index c462742fb..eb35c9f32 100644 --- a/src/internal.c +++ b/src/internal.c @@ -6166,6 +6166,9 @@ retry: timeout.it_value.tv_usec == 0) { XSTRNCPY(ssl->timeoutInfo.timeoutName, "recv() timeout", MAX_TIMEOUT_NAME_SZ); + ssl->timeoutInfo.timeoutName[ + MAX_TIMEOUT_NAME_SZ] = '\0'; + WOLFSSL_MSG("Got our timeout"); return WANT_READ; } @@ -6277,6 +6280,9 @@ int SendBuffered(WOLFSSL* ssl) timeout.it_value.tv_usec == 0) { XSTRNCPY(ssl->timeoutInfo.timeoutName, "send() timeout", MAX_TIMEOUT_NAME_SZ); + ssl->timeoutInfo.timeoutName[ + MAX_TIMEOUT_NAME_SZ] = '\0'; + WOLFSSL_MSG("Got our timeout"); return WANT_WRITE; } @@ -16651,6 +16657,7 @@ void PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, if (info->ssl->options.cipherSuite0 == ECC_BYTE) continue; /* ECC suites at end */ XSTRNCPY(info->cipherName, cipher_names[i], MAX_CIPHERNAME_SZ); + info->cipherName[MAX_CIPHERNAME_SZ] = '\0'; break; } @@ -16666,8 +16673,10 @@ void PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, #ifdef WOLFSSL_CALLBACKS HandShakeInfo* info = &ssl->handShakeInfo; if (info->numberPackets < MAX_PACKETS_HANDSHAKE) { - XSTRNCPY(info->packetNames[info->numberPackets++], name, - MAX_PACKETNAME_SZ); + char* packetName = info->packetNames[info->numberPackets]; + XSTRNCPY(packetName, name, MAX_PACKETNAME_SZ); + packetName[MAX_PACKETNAME_SZ] = '\0'; + info->numberPackets++ } #endif (void)ssl; @@ -16716,8 +16725,9 @@ void PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, /* make sure we have a valid previous one */ if (info->numberPackets > 0 && info->numberPackets < MAX_PACKETS_HANDSHAKE) { - XSTRNCPY(info->packets[info->numberPackets - 1].packetName, name, - MAX_PACKETNAME_SZ); + char* packetName = info->packets[info->numberPackets-1].packetName; + XSTRNCPY(packetName, name, MAX_PACKETNAME_SZ); + packetName[MAX_PACKETNAME_SZ] = '\0'; } } @@ -16759,9 +16769,11 @@ void PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, Timeval currTime; /* may add name after */ - if (name) - XSTRNCPY(info->packets[info->numberPackets].packetName, name, - MAX_PACKETNAME_SZ); + if (name) { + char* packetName = info->packets[info->numberPackets].packetName; + XSTRNCPY(packetName, name, MAX_PACKETNAME_SZ); + packetName[MAX_PACKETNAME_SZ] = '\0'; + } /* add data, put in buffer if bigger than static buffer */ info->packets[info->numberPackets].valueSz = sz; diff --git a/src/sniffer.c b/src/sniffer.c index 3d8aa17e0..a9d4bdca4 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -301,7 +301,7 @@ typedef struct SnifferServer { int port; /* server port */ #ifdef HAVE_SNI NamedKey* namedKeys; /* mapping of names and keys */ - wolfSSL_Mutex namedKeysMutex; /* mutex for namedKey list */ + wolfSSL_Mutex namedKeysMutex; /* mutex for namedKey list */ #endif struct SnifferServer* next; /* for list */ } SnifferServer; @@ -1248,11 +1248,10 @@ static int SetNamedPrivateKey(const char* name, const char* address, int port, XMEMSET(namedKey, 0, sizeof(NamedKey)); namedKey->nameSz = (word32)XSTRLEN(name); - XSTRNCPY(namedKey->name, name, sizeof(namedKey->name)); - if (namedKey->nameSz >= sizeof(namedKey->name)) { - namedKey->nameSz = sizeof(namedKey->name) - 1; - namedKey->name[namedKey->nameSz] = '\0'; - } + if (namedKey->nameSz > sizeof(namedKey->name)-1) + namedKey->nameSz = sizeof(namedKey->name)-1; + XSTRNCPY(namedKey->name, name, namedKey->nameSz); + namedKey->name[MAX_SERVER_NAME-1] = '\0'; ret = LoadKeyFile(&namedKey->key, &namedKey->keySz, keyFile, type, password); @@ -1828,7 +1827,7 @@ static int ProcessClientHello(const byte* input, int* sslBytes, if (ret == WOLFSSL_SUCCESS) { NamedKey* namedKey; - if (nameSz >= sizeof(name)) + if (nameSz > sizeof(name) - 1) nameSz = sizeof(name) - 1; name[nameSz] = 0; wc_LockMutex(&session->context->namedKeysMutex); diff --git a/src/ssl.c b/src/ssl.c index fb4bb034f..ae10828a1 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -719,8 +719,9 @@ int wolfSSL_get_ciphers(char* buf, int len) /* Check to make sure buf is large enough and will not overflow */ if (totalInc < len) { - XSTRNCPY(buf, ciphers[i], XSTRLEN(ciphers[i])); - buf += XSTRLEN(ciphers[i]); + size_t cipherLen = XSTRLEN(ciphers[i]); + XSTRNCPY(buf, ciphers[i], cipherLen); + buf += cipherLen; if (i < size - 1) *buf++ = delim; @@ -2172,8 +2173,8 @@ int wolfSSL_UseALPN(WOLFSSL* ssl, char *protocol_name_list, return MEMORY_ERROR; } - XMEMSET(list, 0, protocol_name_listSz+1); XSTRNCPY(list, protocol_name_list, protocol_name_listSz); + list[protocol_name_listSz] = '\0'; /* read all protocol name from the list */ token[idx] = XSTRTOK(list, ",", &ptr); @@ -10753,13 +10754,14 @@ int wolfSSL_check_domain_name(WOLFSSL* ssl, const char* dn) if (ssl->buffers.domainName.buffer) XFREE(ssl->buffers.domainName.buffer, ssl->heap, DYNAMIC_TYPE_DOMAIN); - ssl->buffers.domainName.length = (word32)XSTRLEN(dn) + 1; - ssl->buffers.domainName.buffer = (byte*) XMALLOC( - ssl->buffers.domainName.length, ssl->heap, DYNAMIC_TYPE_DOMAIN); + ssl->buffers.domainName.length = (word32)XSTRLEN(dn); + ssl->buffers.domainName.buffer = (byte*)XMALLOC( + ssl->buffers.domainName.length + 1, ssl->heap, DYNAMIC_TYPE_DOMAIN); if (ssl->buffers.domainName.buffer) { - XSTRNCPY((char*)ssl->buffers.domainName.buffer, dn, - ssl->buffers.domainName.length); + char* domainName = (char*)ssl->buffers.domainName.buffer; + XSTRNCPY(domainName, dn, ssl->buffers.domainName.length); + domainName[ssl->buffers.domainName.length] = '\0'; return WOLFSSL_SUCCESS; } else { @@ -11104,7 +11106,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) { WOLFSSL_ENTER("SSL_CTX_use_psk_identity_hint"); if (hint == 0) - ctx->server_hint[0] = 0; + ctx->server_hint[0] = '\0'; else { XSTRNCPY(ctx->server_hint, hint, sizeof(ctx->server_hint)); ctx->server_hint[MAX_PSK_ID_LEN] = '\0'; /* null term */ @@ -25460,7 +25462,7 @@ static int EncryptDerKey(byte *der, int *derSz, const EVP_CIPHER* cipher, } /* set the cipher name on info */ - XSTRNCPY(info->name, cipher, NAME_SZ); + XSTRNCPY(info->name, cipher, NAME_SZ-1); info->name[NAME_SZ-1] = '\0'; /* null term */ /* Generate a random salt */ diff --git a/src/tls.c b/src/tls.c index 4a3a7fba2..814099f9e 100644 --- a/src/tls.c +++ b/src/tls.c @@ -1408,7 +1408,7 @@ static SNI* TLSX_SNI_New(byte type, const void* data, word16 size, void* heap) DYNAMIC_TYPE_TLSX); if (sni->data.host_name) { XSTRNCPY(sni->data.host_name, (const char*)data, size); - sni->data.host_name[size] = 0; + sni->data.host_name[size] = '\0'; } else { XFREE(sni, heap, DYNAMIC_TYPE_TLSX); sni = NULL; @@ -7398,7 +7398,7 @@ static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte msgType) length += PHA_GET_SIZE(msgType); break; #endif - + #if !defined(WOLFSSL_TLS13_DRAFT_18) && !defined(WOLFSSL_TLS13_DRAFT_22) case TLSX_SIGNATURE_ALGORITHMS_CERT: length += SAC_GET_SIZE(extension->data); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index e21c66e58..5e5a5f8ac 100755 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -6931,6 +6931,13 @@ int wc_DerToPemEx(const byte* der, word32 derSz, byte* output, word32 outSz, return MEMORY_E; } #endif + + /* null term and leave room for \n */ + header[headerLen-1] = '\0'; + footer[footerLen-1] = '\0'; + headerLen -= 2; + footerLen -= 2; + if (type == CERT_TYPE) { XSTRNCPY(header, BEGIN_CERT, headerLen); XSTRNCAT(header, "\n", 1); @@ -8291,7 +8298,7 @@ static int EncodePolicyOID(byte *out, word32 *outSz, const char *in, void* heap) return MEMORY_E; XSTRNCPY(str, in, len); - str[len] = 0x00; + str[len] = '\0'; nb_val = 0; @@ -9942,12 +9949,13 @@ int wc_SetKeyUsage(Cert *cert, const char *value) cert->keyUsage = 0; - str = (char*)XMALLOC(XSTRLEN(value)+1, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); + len = (word32)XSTRLEN(value); + str = (char*)XMALLOC(len+1, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); if (str == NULL) return MEMORY_E; - XMEMSET(str, 0, XSTRLEN(value)+1); - XSTRNCPY(str, value, XSTRLEN(value)); + XSTRNCPY(str, value, len); + str[len] = '\0'; /* parse value, and set corresponding Key Usage value */ if ((token = XSTRTOK(str, ",", &ptr)) == NULL) { @@ -10001,12 +10009,13 @@ int wc_SetExtKeyUsage(Cert *cert, const char *value) cert->extKeyUsage = 0; - str = (char*)XMALLOC(XSTRLEN(value)+1, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); + len = (word32)XSTRLEN(value); + str = (char*)XMALLOC(len+1, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); if (str == NULL) return MEMORY_E; - XMEMSET(str, 0, XSTRLEN(value)+1); - XSTRNCPY(str, value, XSTRLEN(value)); + XSTRNCPY(str, value, len); + str[len] = '\0'; /* parse value, and set corresponding Key Usage value */ if ((token = XSTRTOK(str, ",", &ptr)) == NULL) { @@ -10229,56 +10238,56 @@ static int SetNameFromCert(CertName* cn, const byte* der, int derSz) sz = (decoded->subjectCNLen < CTC_NAME_SIZE) ? decoded->subjectCNLen : CTC_NAME_SIZE - 1; XSTRNCPY(cn->commonName, decoded->subjectCN, CTC_NAME_SIZE); - cn->commonName[sz] = 0; + cn->commonName[sz] = '\0'; cn->commonNameEnc = decoded->subjectCNEnc; } if (decoded->subjectC) { sz = (decoded->subjectCLen < CTC_NAME_SIZE) ? decoded->subjectCLen : CTC_NAME_SIZE - 1; XSTRNCPY(cn->country, decoded->subjectC, CTC_NAME_SIZE); - cn->country[sz] = 0; + cn->country[sz] = '\0'; cn->countryEnc = decoded->subjectCEnc; } if (decoded->subjectST) { sz = (decoded->subjectSTLen < CTC_NAME_SIZE) ? decoded->subjectSTLen : CTC_NAME_SIZE - 1; XSTRNCPY(cn->state, decoded->subjectST, CTC_NAME_SIZE); - cn->state[sz] = 0; + cn->state[sz] = '\0'; cn->stateEnc = decoded->subjectSTEnc; } if (decoded->subjectL) { sz = (decoded->subjectLLen < CTC_NAME_SIZE) ? decoded->subjectLLen : CTC_NAME_SIZE - 1; XSTRNCPY(cn->locality, decoded->subjectL, CTC_NAME_SIZE); - cn->locality[sz] = 0; + cn->locality[sz] = '\0'; cn->localityEnc = decoded->subjectLEnc; } if (decoded->subjectO) { sz = (decoded->subjectOLen < CTC_NAME_SIZE) ? decoded->subjectOLen : CTC_NAME_SIZE - 1; XSTRNCPY(cn->org, decoded->subjectO, CTC_NAME_SIZE); - cn->org[sz] = 0; + cn->org[sz] = '\0'; cn->orgEnc = decoded->subjectOEnc; } if (decoded->subjectOU) { sz = (decoded->subjectOULen < CTC_NAME_SIZE) ? decoded->subjectOULen : CTC_NAME_SIZE - 1; XSTRNCPY(cn->unit, decoded->subjectOU, CTC_NAME_SIZE); - cn->unit[sz] = 0; + cn->unit[sz] = '\0'; cn->unitEnc = decoded->subjectOUEnc; } if (decoded->subjectSN) { sz = (decoded->subjectSNLen < CTC_NAME_SIZE) ? decoded->subjectSNLen : CTC_NAME_SIZE - 1; XSTRNCPY(cn->sur, decoded->subjectSN, CTC_NAME_SIZE); - cn->sur[sz] = 0; + cn->sur[sz] = '\0'; cn->surEnc = decoded->subjectSNEnc; } if (decoded->subjectEmail) { sz = (decoded->subjectEmailLen < CTC_NAME_SIZE) ? decoded->subjectEmailLen : CTC_NAME_SIZE - 1; XSTRNCPY(cn->email, decoded->subjectEmail, CTC_NAME_SIZE); - cn->email[sz] = 0; + cn->email[sz] = '\0'; } } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 5354a9bb2..fd059efa9 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2780,7 +2780,7 @@ enum AcceptState { typedef struct Buffers { bufferStatic inputBuffer; bufferStatic outputBuffer; - buffer domainName; /* for client check */ + buffer domainName; /* for client check */ buffer clearOutputBuffer; buffer sig; /* signature data */ buffer digest; /* digest data */ @@ -2811,12 +2811,12 @@ typedef struct Buffers { #endif #endif #ifdef WOLFSSL_SEND_HRR_COOKIE - buffer tls13CookieSecret; /* HRR cookie secret */ + buffer tls13CookieSecret; /* HRR cookie secret */ #endif #ifdef WOLFSSL_DTLS - WOLFSSL_DTLS_CTX dtlsCtx; /* DTLS connection context */ + WOLFSSL_DTLS_CTX dtlsCtx; /* DTLS connection context */ #ifndef NO_WOLFSSL_SERVER - buffer dtlsCookieSecret; /* DTLS cookie secret */ + buffer dtlsCookieSecret; /* DTLS cookie secret */ #endif /* NO_WOLFSSL_SERVER */ #endif #ifdef HAVE_PK_CALLBACKS