diff options
author | Hubert Kario <hkario@redhat.com> | 2022-01-17 20:55:04 +0100 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2022-01-20 11:12:21 +0100 |
commit | 148b592db7ea18e0209078fe313514fb7c7553f5 (patch) | |
tree | 91b19a313bd239875c03655162ae7a78f9210497 /apps | |
parent | a822a0cb3c8466adbcee510a6234c0fe95ff4bfe (diff) |
s_server: correctly handle 2^14 byte long records
as the code uses BIO_gets, and it always null terminates the
strings it reads, when it reads a record 2^14 byte long, it actually
returns 2^14-1 bytes to the calling application, in general it returns
size-1 bytes to the caller
This makes the code sub-optimal (as every 2^14 record will need two
BIO_gets() calls) and makes it impossible to use -rev option to test
all plaintext lengths (like in openssl#15706)
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17538)
Diffstat (limited to 'apps')
-rw-r--r-- | apps/s_server.c | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/apps/s_server.c b/apps/s_server.c index 9f05cb120a..5ec053b45b 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -3000,7 +3000,9 @@ static int www_body(int s, int stype, int prot, unsigned char *context) /* Set width for a select call if needed */ width = s + 1; - p = buf = app_malloc(bufsize, "server www buffer"); + /* as we use BIO_gets(), and it always null terminates data, we need + * to allocate 1 byte longer buffer to fit the full 2^14 byte record */ + p = buf = app_malloc(bufsize + 1, "server www buffer"); io = BIO_new(BIO_f_buffer()); ssl_bio = BIO_new(BIO_f_ssl()); if ((io == NULL) || (ssl_bio == NULL)) @@ -3065,7 +3067,7 @@ static int www_body(int s, int stype, int prot, unsigned char *context) } for (;;) { - i = BIO_gets(io, buf, bufsize - 1); + i = BIO_gets(io, buf, bufsize + 1); if (i < 0) { /* error */ if (!BIO_should_retry(io) && !SSL_waiting_for_async(con)) { if (!s_quiet) @@ -3129,7 +3131,7 @@ static int www_body(int s, int stype, int prot, unsigned char *context) * we're expecting to come from the client. If they haven't * sent one there's not much we can do. */ - BIO_gets(io, buf, bufsize - 1); + BIO_gets(io, buf, bufsize + 1); } BIO_puts(io, @@ -3412,7 +3414,9 @@ static int rev_body(int s, int stype, int prot, unsigned char *context) SSL *con; BIO *io, *ssl_bio, *sbio; - buf = app_malloc(bufsize, "server rev buffer"); + /* as we use BIO_gets(), and it always null terminates data, we need + * to allocate 1 byte longer buffer to fit the full 2^14 byte record */ + buf = app_malloc(bufsize + 1, "server rev buffer"); io = BIO_new(BIO_f_buffer()); ssl_bio = BIO_new(BIO_f_ssl()); if ((io == NULL) || (ssl_bio == NULL)) @@ -3487,7 +3491,7 @@ static int rev_body(int s, int stype, int prot, unsigned char *context) print_ssl_summary(con); for (;;) { - i = BIO_gets(io, buf, bufsize - 1); + i = BIO_gets(io, buf, bufsize + 1); if (i < 0) { /* error */ if (!BIO_should_retry(io)) { if (!s_quiet) |