diff options
author | Daiki Ueno <ueno@gnu.org> | 2020-10-18 07:25:42 +0200 |
---|---|---|
committer | Daiki Ueno <ueno@gnu.org> | 2020-10-18 19:18:11 +0200 |
commit | 7f9eb884aa17665278b0f87a60153a8a3b6f450e (patch) | |
tree | 66c97523aa33d1c671b44e9f1ac46a00d13ede9e | |
parent | e748eac332661781a010b92cb2ce6d6c080d0b15 (diff) | |
download | gnutls-7f9eb884aa17665278b0f87a60153a8a3b6f450e.tar.gz |
serv: peer_print_info: add overflow check on realloc
Signed-off-by: Daiki Ueno <ueno@gnu.org>
-rw-r--r-- | bootstrap.conf | 2 | ||||
-rw-r--r-- | src/serv.c | 24 |
2 files changed, 16 insertions, 10 deletions
diff --git a/bootstrap.conf b/bootstrap.conf index 36b6d58f8e..387c4f8d51 100644 --- a/bootstrap.conf +++ b/bootstrap.conf @@ -36,7 +36,7 @@ unictype/category-all unictype/property-default-ignorable-code-point unictype/pr " src_modules=" -accept bind close connect getaddrinfo getpass gettext-h arpa_inet inet_ntop inet_pton inttypes listen linked-list minmax parse-datetime progname read-file recv recvfrom select send sendto servent setsockopt shutdown socket sockets socklen xalloc xlist +accept bind close connect getaddrinfo getpass gettext-h arpa_inet inet_ntop inet_pton inttypes listen linked-list minmax parse-datetime progname read-file recv recvfrom select send sendto servent setsockopt shutdown socket sockets socklen xalloc xlist xsize " # Build prerequisites diff --git a/src/serv.c b/src/serv.c index 629c398529..add0ee4065 100644 --- a/src/serv.c +++ b/src/serv.c @@ -50,6 +50,7 @@ #include "read-file.h" #include "sockets.h" #include "xalloc.h" +#include "xsize.h" /* konqueror cannot handle sending the page in multiple * pieces. @@ -562,7 +563,7 @@ static char *peer_print_info(gnutls_session_t session, int *ret_length, char *http_buffer, *desc; gnutls_kx_algorithm_t kx_alg; size_t len = 20 * 1024 + strlen(header); - char *crtinfo = NULL, *crtinfo_old = NULL; + char *crtinfo = NULL; gnutls_protocol_t version; size_t ncrtinfo = 0; @@ -600,17 +601,22 @@ static char *peer_print_info(gnutls_session_t session, int *ret_length, && gnutls_x509_crt_print(cert, GNUTLS_CRT_PRINT_FULL, &info) == 0) { - const char *post = "</PRE><P><PRE>"; + const char post[] = "</PRE><P><PRE>"; + char *crtinfo_new; + size_t ncrtinfo_new; - crtinfo_old = crtinfo; - crtinfo = - realloc(crtinfo, - ncrtinfo + info.size + - strlen(post) + 1); - if (crtinfo == NULL) { - free(crtinfo_old); + ncrtinfo_new = xsum3(ncrtinfo, info.size, + sizeof(post)); + if (size_overflow_p(ncrtinfo_new)) { + free(crtinfo); return NULL; } + crtinfo_new = realloc(crtinfo, ncrtinfo_new); + if (crtinfo_new == NULL) { + free(crtinfo); + return NULL; + } + crtinfo = crtinfo_new; memcpy(crtinfo + ncrtinfo, info.data, info.size); ncrtinfo += info.size; |