feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Maintenance: OCSP

Browse Source 
1. Check array index bounds before using them in arrays.
2. When processing an HTTP buffer, check that the new buffer size is
valid before allocating a new one.
This commit is contained in:
John Safranek
2019-11-18 14:15:55 -08:00
parent 4282346eef
commit a1e33e7ec9
1 changed files with 24 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
src/wolfio.c
View File

@ -902,7 +902,8 @@ int wolfIO_DecodeUrl(const char* url, int urlSz, char* outName, char* outPath,
if (url[cur] == '[') { if (url[cur] == '[') {
cur++; cur++;
/* copy until ']' */ /* copy until ']' */
while (url[cur] != 0 && url[cur] != ']' && cur < urlSz) { while (i < MAX_URL_ITEM_SIZE-1 && cur < urlSz && url[cur] != 0 &&
url[cur] != ']') {
if (outName) if (outName)
outName[i] = url[cur]; outName[i] = url[cur];
i++; cur++; i++; cur++;
@ -910,8 +911,8 @@ int wolfIO_DecodeUrl(const char* url, int urlSz, char* outName, char* outPath,
cur++; /* skip ']' */ cur++; /* skip ']' */
} }
else { else {
while (url[cur] != 0 && url[cur] != ':' && while (i < MAX_URL_ITEM_SIZE-1 && cur < urlSz && url[cur] != 0 &&
url[cur] != '/' && cur < urlSz) { url[cur] != ':' && url[cur] != '/') {
if (outName) if (outName)
outName[i] = url[cur]; outName[i] = url[cur];
i++; cur++; i++; cur++;
@ -927,9 +928,9 @@ int wolfIO_DecodeUrl(const char* url, int urlSz, char* outName, char* outPath,
word32 bigPort = 0; word32 bigPort = 0;
i = 0; i = 0;
cur++; cur++;
while (cur < urlSz && url[cur] != 0 && url[cur] != '/' && while (i < 6 && cur < urlSz && url[cur] != 0 && url[cur] != '/') {
i < 6) { port[i] = url[cur];
port[i++] = url[cur++]; i++; cur++;
} }
for (j = 0; j < i; j++) { for (j = 0; j < i; j++) {
@ -945,7 +946,7 @@ int wolfIO_DecodeUrl(const char* url, int urlSz, char* outName, char* outPath,
if (cur < urlSz && url[cur] == '/') { if (cur < urlSz && url[cur] == '/') {
i = 0; i = 0;
while (cur < urlSz && url[cur] != 0 && i < MAX_URL_ITEM_SIZE) { while (i < MAX_URL_ITEM_SIZE-1 && cur < urlSz && url[cur] != 0) {
if (outPath) if (outPath)
outPath[i] = url[cur]; outPath[i] = url[cur];
i++; cur++; i++; cur++;
@ -979,6 +980,11 @@ static int wolfIO_HttpProcessResponseBuf(int sfd, byte **recvBuf,
(void)heap; (void)heap;
(void)dynType; (void)dynType;
if (newRecvSz <= 0) {
WOLFSSL_MSG("wolfIO_HttpProcessResponseBuf new receive size overflow");
return MEMORY_E;
}
newRecvBuf = (byte*)XMALLOC(newRecvSz, heap, dynType); newRecvBuf = (byte*)XMALLOC(newRecvSz, heap, dynType);
if (newRecvBuf == NULL) { if (newRecvBuf == NULL) {
WOLFSSL_MSG("wolfIO_HttpProcessResponseBuf malloc failed"); WOLFSSL_MSG("wolfIO_HttpProcessResponseBuf malloc failed");
@ -995,8 +1001,15 @@ static int wolfIO_HttpProcessResponseBuf(int sfd, byte **recvBuf,
/* copy the remainder of the httpBuf into the respBuf */ /* copy the remainder of the httpBuf into the respBuf */
if (len != 0) { if (len != 0) {
XMEMCPY(&newRecvBuf[pos], start, len); if (pos + len <= newRecvSz) {
pos += len; XMEMCPY(&newRecvBuf[pos], start, len);
pos += len;
}
else {
WOLFSSL_MSG("wolfIO_HttpProcessResponseBuf bad size");
XFREE(newRecvBuf, heap, dynType);
return -1;
}
} }
/* receive the remainder of chunk */ /* receive the remainder of chunk */
@ -1323,7 +1336,8 @@ int EmbedOcspLookup(void* ctx, const char* url, int urlSz,
if (path == NULL) if (path == NULL)
return MEMORY_E; return MEMORY_E;
domainName = (char*)XMALLOC(MAX_URL_ITEM_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); domainName = (char*)XMALLOC(MAX_URL_ITEM_SIZE, NULL,
DYNAMIC_TYPE_TMP_BUFFER);
if (domainName == NULL) { if (domainName == NULL) {
XFREE(path, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(path, NULL, DYNAMIC_TYPE_TMP_BUFFER);
return MEMORY_E; return MEMORY_E;