Fix buffer size calculation
Make sure that buf always has enough room for what it will contain. Before,
this was not the case if the buffer was smaller than the default response,
leading to memory corruption in ssl_server2.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 2cce755..4b1b6df 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -164,9 +164,6 @@
/*
* Size of the basic I/O buffer. Able to hold our default response.
- *
- * You will need to adapt the mbedtls_ssl_get_bytes_avail() test in ssl-opt.sh
- * if you change this value to something outside the range <= 100 or > 500
*/
#define DFL_IO_BUF_LEN 200
@@ -2032,10 +2029,26 @@
#if defined(MBEDTLS_DEBUG_C)
mbedtls_debug_set_threshold( opt.debug_level );
#endif
- buf = mbedtls_calloc( 1, opt.buffer_size + 1 );
+
+ /* buf will alternatively contain the input read from the client and the
+ * response that's about to be sent, plus a null byte in each case. */
+ size_t buf_content_size = opt.buffer_size;
+ /* The default response contains the ciphersuite name. Leave enough
+ * room for that plus some margin. */
+ if( buf_content_size < strlen( HTTP_RESPONSE ) + 80 )
+ {
+ buf_content_size = strlen( HTTP_RESPONSE ) + 80;
+ }
+ if( opt.response_size != DFL_RESPONSE_SIZE &&
+ buf_content_size < (size_t) opt.response_size )
+ {
+ buf_content_size = opt.response_size;
+ }
+ buf = mbedtls_calloc( 1, buf_content_size + 1 );
if( buf == NULL )
{
- mbedtls_printf( "Could not allocate %u bytes\n", opt.buffer_size );
+ mbedtls_printf( "Could not allocate %lu bytes\n",
+ (unsigned long) buf_content_size + 1 );
ret = 3;
goto exit;
}
@@ -3654,6 +3667,8 @@
mbedtls_printf( " > Write to client:" );
fflush( stdout );
+ /* If the format of the response changes, make sure there is enough
+ * room in buf (buf_content_size calculation above). */
len = sprintf( (char *) buf, HTTP_RESPONSE,
mbedtls_ssl_get_ciphersuite( &ssl ) );