Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 1c913e4232c82777bb1bcb2266f34670d5174342^! / . / src / ssl_sock.c
commit1c913e4232c82777bb1bcb2266f34670d5174342[log] [tgz]
authorWilly Tarreau <w@1wt.eu>Wed Aug 22 05:26:57 2018 +0200
committerWilly Tarreau <w@1wt.eu>Wed Aug 22 05:28:32 2018 +0200
tree6918a9d5d8f20a08259431b5e4d072bb847aa204
parentb406b8708fef5ff51e684794b5df4fea728b0058 [diff] [blame]
BUG/MEDIUM: cli/ssl: don't store base64dec() result in the trash's length

By convenience or laziness we used to store base64dec()'s return code
into trash.data and to compare it against 0 to check for conversion
failure, but it's now unsigned since commit 843b7cb ("MEDIUM: chunks:
make the chunk struct's fields match the buffer struct"). Let's clean
this up and test the result itself without storing it first.

No backport is needed.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 5610a41..5dbd6b6 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -8572,6 +8572,7 @@
 static int cli_parse_set_tlskeys(char **args, char *payload, struct appctx *appctx, void *private)
 {
 	struct tls_keys_ref *ref;
+	int ret;
 
 	/* Expect two parameters: the filename and the new new TLS key in encoding */
 	if (!*args[3] || !*args[4]) {
@@ -8589,14 +8590,14 @@
 		return 1;
 	}
 
-	trash.data = base64dec(args[4], strlen(args[4]), trash.area,
-			      trash.size);
-	if (trash.data != sizeof(struct tls_sess_key)) {
+	ret = base64dec(args[4], strlen(args[4]), trash.area, trash.size);
+	if (ret != sizeof(struct tls_sess_key)) {
 		appctx->ctx.cli.severity = LOG_ERR;
 		appctx->ctx.cli.msg = "'set ssl tls-key' received invalid base64 encoded TLS key.\n";
 		appctx->st0 = CLI_ST_PRINT;
 		return 1;
 	}
+	trash.data = ret;
 	ssl_sock_update_tlskey_ref(ref, &trash);
 	appctx->ctx.cli.severity = LOG_INFO;
 	appctx->ctx.cli.msg = "TLS ticket key updated!\n";
@@ -8610,7 +8611,7 @@
 {
 #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
 	char *err = NULL;
-	int i, j;
+	int i, j, ret;
 
 	if (!payload)
 		payload = args[3];
@@ -8631,14 +8632,15 @@
 	}
 	payload[j] = 0;
 
-	trash.data = base64dec(payload, j, trash.area, trash.size);
-	if (trash.data < 0) {
+	ret = base64dec(payload, j, trash.area, trash.size);
+	if (ret < 0) {
 		appctx->ctx.cli.severity = LOG_ERR;
 		appctx->ctx.cli.msg = "'set ssl ocsp-response' received invalid base64 encoded response.\n";
 		appctx->st0 = CLI_ST_PRINT;
 		return 1;
 	}
 
+	trash.data = ret;
 	if (ssl_sock_update_ocsp_response(&trash, &err)) {
 		if (err) {
 			memprintf(&err, "%s.\n", err);