The branch master has been updated via 148b592db7ea18e0209078fe313514fb7c7553f5 (commit) from a822a0cb3c8466adbcee510a6234c0fe95ff4bfe (commit)
- Log ----------------------------------------------------------------- commit 148b592db7ea18e0209078fe313514fb7c7553f5 Author: Hubert Kario <hka...@redhat.com> Date: Mon Jan 17 20:55:04 2022 +0100 s_server: correctly handle 2^14 byte long records as the code uses BIO_gets, and it always null terminates the strings it reads, when it reads a record 2^14 byte long, it actually returns 2^14-1 bytes to the calling application, in general it returns size-1 bytes to the caller This makes the code sub-optimal (as every 2^14 record will need two BIO_gets() calls) and makes it impossible to use -rev option to test all plaintext lengths (like in openssl#15706) Reviewed-by: Paul Dale <pa...@openssl.org> Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17538) ----------------------------------------------------------------------- Summary of changes: apps/s_server.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/apps/s_server.c b/apps/s_server.c index 9f05cb120a..5ec053b45b 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -3000,7 +3000,9 @@ static int www_body(int s, int stype, int prot, unsigned char *context) /* Set width for a select call if needed */ width = s + 1; - p = buf = app_malloc(bufsize, "server www buffer"); + /* as we use BIO_gets(), and it always null terminates data, we need + * to allocate 1 byte longer buffer to fit the full 2^14 byte record */ + p = buf = app_malloc(bufsize + 1, "server www buffer"); io = BIO_new(BIO_f_buffer()); ssl_bio = BIO_new(BIO_f_ssl()); if ((io == NULL) || (ssl_bio == NULL)) @@ -3065,7 +3067,7 @@ static int www_body(int s, int stype, int prot, unsigned char *context) } for (;;) { - i = BIO_gets(io, buf, bufsize - 1); + i = BIO_gets(io, buf, bufsize + 1); if (i < 0) { /* error */ if (!BIO_should_retry(io) && !SSL_waiting_for_async(con)) { if (!s_quiet) @@ -3129,7 +3131,7 @@ static int www_body(int s, int stype, int prot, unsigned char *context) * we're expecting to come from the client. If they haven't * sent one there's not much we can do. */ - BIO_gets(io, buf, bufsize - 1); + BIO_gets(io, buf, bufsize + 1); } BIO_puts(io, @@ -3412,7 +3414,9 @@ static int rev_body(int s, int stype, int prot, unsigned char *context) SSL *con; BIO *io, *ssl_bio, *sbio; - buf = app_malloc(bufsize, "server rev buffer"); + /* as we use BIO_gets(), and it always null terminates data, we need + * to allocate 1 byte longer buffer to fit the full 2^14 byte record */ + buf = app_malloc(bufsize + 1, "server rev buffer"); io = BIO_new(BIO_f_buffer()); ssl_bio = BIO_new(BIO_f_ssl()); if ((io == NULL) || (ssl_bio == NULL)) @@ -3487,7 +3491,7 @@ static int rev_body(int s, int stype, int prot, unsigned char *context) print_ssl_summary(con); for (;;) { - i = BIO_gets(io, buf, bufsize - 1); + i = BIO_gets(io, buf, bufsize + 1); if (i < 0) { /* error */ if (!BIO_should_retry(io)) { if (!s_quiet)