From fcd6c4f203e85dfaf253d6407529ead34a46dc1b Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Mon, 2 Mar 2026 21:02:06 +0100 Subject: [PATCH] Enhance OCSP responder error handling for serial validation and HTTP response truncation --- examples/ocsp_responder/ocsp_responder.c | 38 ++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 3 deletions(-) diff --git a/examples/ocsp_responder/ocsp_responder.c b/examples/ocsp_responder/ocsp_responder.c index 332665d573..9d864bc6b3 100644 --- a/examples/ocsp_responder/ocsp_responder.c +++ b/examples/ocsp_responder/ocsp_responder.c @@ -421,9 +421,30 @@ static int PopulateResponderFromIndex(OcspResponder* responder, IndexEntry* inde word32 i; /* Convert hex string to bytes */ - serialLen = (word32)XSTRLEN(entry->serial) / 2; - if (serialLen == 0 || serialLen > sizeof(serial)) { - continue; + { + word32 hexLen = (word32)XSTRLEN(entry->serial); + word32 j; + + /* Reject odd-length hex strings */ + if (hexLen % 2 != 0) { + LOG_ERROR("Invalid hex serial length (odd): %u\n", hexLen); + return BAD_FUNC_ARG; + } + + serialLen = hexLen / 2; + if (serialLen == 0 || serialLen > sizeof(serial)) { + return BAD_FUNC_ARG; + } + + /* Validate all characters are hex digits */ + for (j = 0; j < hexLen; j++) { + char c = p[j]; + if (!((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') || + (c >= 'A' && c <= 'F'))) { + LOG_ERROR("Invalid hex character in serial: '%c'\n", c); + return BAD_FUNC_ARG; + } + } } for (i = 0; i < serialLen; i++) { @@ -593,6 +614,11 @@ static int SendHttpResponse(SOCKET_T clientfd, const byte* ocspResp, int ocspRes "Connection: close\r\n" "\r\n", ocspRespSz); + if (headerLen < 0 || headerLen >= (int)sizeof(header)) { + LOG_ERROR("HTTP header truncated\n"); + return -1; + } + /* Send header */ { int totalSent = 0; @@ -639,6 +665,12 @@ static int SendHttpError(SOCKET_T clientfd, int statusCode, const char* statusMs "\r\n" "%s", statusCode, statusMsg, (int)XSTRLEN(statusMsg), statusMsg); + /* Handle snprintf error or truncation to avoid sending out-of-bounds data. */ + if (len < 0 || len >= (int)sizeof(response)) { + LOG_ERROR("HTTP error response truncated\n"); + return -1; + } + sent = (int)send(clientfd, response, (size_t)len, 0); return (sent == len) ? 0 : -1; }