yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-03-04 22:59:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix buffer size calculation

Browse source 
Make sure that buf always has enough room for what it will contain. Before,
this was not the case if the buffer was smaller than the default response,
leading to memory corruption in ssl_server2.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine 2022-04-06 23:31:05 +02:00
parent f2e1f47b2e
commit 736d91dae6
1 changed files with 20 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
programs/ssl/ssl_server2.c
View file

@ -164,9 +164,6 @@ int main( void )
/* /*
* Size of the basic I/O buffer. Able to hold our default response. * Size of the basic I/O buffer. Able to hold our default response.
*
* You will need to adapt the mbedtls_ssl_get_bytes_avail() test in ssl-opt.sh
* if you change this value to something outside the range <= 100 or > 500
*/ */
#define DFL_IO_BUF_LEN 200 #define DFL_IO_BUF_LEN 200
@ -2032,10 +2029,26 @@ int main( int argc, char *argv[] )
#if defined(MBEDTLS_DEBUG_C) #if defined(MBEDTLS_DEBUG_C)
mbedtls_debug_set_threshold( opt.debug_level ); mbedtls_debug_set_threshold( opt.debug_level );
#endif #endif
buf = mbedtls_calloc( 1, opt.buffer_size + 1 );
/* buf will alternatively contain the input read from the client and the
* response that's about to be sent, plus a null byte in each case. */
size_t buf_content_size = opt.buffer_size;
/* The default response contains the ciphersuite name. Leave enough
* room for that plus some margin. */
if( buf_content_size < strlen( HTTP_RESPONSE ) + 80 )
{
buf_content_size = strlen( HTTP_RESPONSE ) + 80;
}
if( opt.response_size != DFL_RESPONSE_SIZE &&
buf_content_size < (size_t) opt.response_size )
{
buf_content_size = opt.response_size;
}
buf = mbedtls_calloc( 1, buf_content_size + 1 );
if( buf == NULL ) if( buf == NULL )
{ {
mbedtls_printf( "Could not allocate %u bytes\n", opt.buffer_size ); mbedtls_printf( "Could not allocate %lu bytes\n",
(unsigned long) buf_content_size + 1 );
ret = 3; ret = 3;
goto exit; goto exit;
} }
@ -3654,6 +3667,8 @@ data_exchange:
mbedtls_printf( " > Write to client:" ); mbedtls_printf( " > Write to client:" );
fflush( stdout ); fflush( stdout );
/* If the format of the response changes, make sure there is enough
* room in buf (buf_content_size calculation above). */
len = sprintf( (char *) buf, HTTP_RESPONSE, len = sprintf( (char *) buf, HTTP_RESPONSE,
mbedtls_ssl_get_ciphersuite( &ssl ) ); mbedtls_ssl_get_ciphersuite( &ssl ) );