Merge branch 'fix-token-info-modname' into 'master'

Fix gnutls_pkcs11_token_get_info for short output buffers and fix a memleak

See merge request gnutls/gnutls!827

1 files changed, 36 insertions, 11 deletions

diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index 1a335ea959..c974565830 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -612,12 +612,17 @@ gnutls_pkcs11_obj_set_info(gnutls_pkcs11_obj_t obj,
  * @obj: should contain a #gnutls_pkcs11_obj_t type
  * @itype: Denotes the type of information requested
  * @output: where output will be stored
- * @output_size: contains the maximum size of the output and will be overwritten with actual
+ * @output_size: contains the maximum size of the output buffer and will be
+ *     overwritten with the actual size.
  *
  * This function will return information about the PKCS11 certificate
  * such as the label, id as well as token information where the key is
- * stored. When output is text it returns null terminated string
- * although @output_size contains the size of the actual data only.
+ * stored.
+ *
+ * When output is text, a null terminated string is written to @output and its
+ * string length is written to @output_size (without null terminator). If the
+ * buffer is too small, @output_size will contain the expected buffer size
+ * (with null terminator for text) and return %GNUTLS_E_SHORT_MEMORY_BUFFER.
  *
  * In versions previously to 3.6.0 this function included the null terminator
  * to @output_size. After 3.6.0 the output size doesn't include the terminator character.
@@ -2447,11 +2452,17 @@ gnutls_pkcs11_token_get_url(unsigned int seq,
  * @url: should contain a PKCS 11 URL
  * @ttype: Denotes the type of information requested
  * @output: where output will be stored
- * @output_size: contains the maximum size of the output and will be overwritten with actual
+ * @output_size: contains the maximum size of the output buffer and will be
+ *     overwritten with the actual size.
  *
  * This function will return information about the PKCS 11 token such
  * as the label, id, etc.
  *
+ * When output is text, a null terminated string is written to @output and its
+ * string length is written to @output_size (without null terminator). If the
+ * buffer is too small, @output_size will contain the expected buffer size
+ * (with null terminator for text) and return %GNUTLS_E_SHORT_MEMORY_BUFFER.
+ *
  * Returns: %GNUTLS_E_SUCCESS (0) on success or a negative error code
  * on error.
  *
@@ -2465,6 +2476,7 @@ gnutls_pkcs11_token_get_info(const char *url,
 	struct p11_kit_uri *info = NULL;
 	const uint8_t *str;
 	size_t str_max;
+	char *temp_str = NULL;
 	size_t len;
 	int ret;
 
@@ -2505,10 +2517,14 @@ gnutls_pkcs11_token_get_info(const char *url,
 			goto cleanup;
 		}
 
-		snprintf(output, *output_size, "%s", tn.modname);
-		*output_size = strlen(output);
-		ret = 0;
-		goto cleanup;
+		temp_str = tn.modname;
+		if (temp_str == NULL) {
+			gnutls_assert();
+			str_max = 0;
+		} else {
+			str = (uint8_t *)temp_str;
+		}
+		break;
 	}
 	default:
 		gnutls_assert();
@@ -2516,14 +2532,21 @@ gnutls_pkcs11_token_get_info(const char *url,
 		goto cleanup;
 	}
 
-	len = p11_kit_space_strlen(str, str_max);
+	if (temp_str)
+		len = strlen(temp_str);
+	else if (str_max == 0)
+		len = 0;
+	else
+		len = p11_kit_space_strlen(str, str_max);
 
 	if (len + 1 > *output_size) {
 		*output_size = len + 1;
-		return GNUTLS_E_SHORT_MEMORY_BUFFER;
+		ret = GNUTLS_E_SHORT_MEMORY_BUFFER;
+		goto cleanup;
 	}
 
-	memcpy(output, str, len);
+	if (len)
+		memcpy(output, str, len);
 	((char *) output)[len] = '\0';
 
 	*output_size = len;
@@ -2531,6 +2554,7 @@ gnutls_pkcs11_token_get_info(const char *url,
 	ret = 0;
 
  cleanup:
+	free(temp_str);
 	p11_kit_uri_free(info);
 	return ret;
 }
@@ -2584,6 +2608,7 @@ gnutls_pkcs11_token_get_ptr(const char *url, void **ptr, unsigned long *slot_id,
 	ret = 0;
 
  cleanup:
+	free(tn.modname);
 	p11_kit_uri_free(info);
 	return ret;
 }