commit 648c83ecddba78f0235260fc2eab44e4524563dc
author Remi Tricot-Le Breton <rlebreton@haproxy.com> Mon Jan 09 12:02:48 2023 +0100
committer William Lallemand <wlallemand@haproxy.org> Mon Jan 09 15:43:41 2023 +0100
tree da3e63299d9fba2b6bdab19dbd983d819ff72f15
parent 2d1daa8095023dde8738ed4d8b62bc5ad436a8bb

MINOR: ssl: Limit ocsp_uri buffer size to minimum

The ocsp_uri field of the certificate_ocsp structure was a 16k buffer
when it could be hand allocated to just the required size to store the
OCSP uri. This field is now behaving the same way as the sctl and
ocsp_response buffers of the ckch_store structure.

src/ssl_ocsp.c

diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c
index 4b1b659..73679cb 100644
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@@ -373,8 +373,10 @@
 		sk_X509_pop_free(ocsp->chain, X509_free);
 		ocsp->chain = NULL;
 		chunk_destroy(&ocsp->response);
-		free_trash_chunk(ocsp->uri);
-		ocsp->uri = NULL;
+		if (ocsp->uri) {
+			ha_free(&ocsp->uri->area);
+			ha_free(&ocsp->uri);
+		}
 
 		free(ocsp);
 	}

src/ssl_sock.c

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 18d006f..5bdab8c 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1255,11 +1255,11 @@
 			if (data->chain)
 				iocsp->chain = X509_chain_up_ref(data->chain);
 
-			iocsp->uri = alloc_trash_chunk();
-			if (!iocsp->uri)
-				goto out;
-			if (!chunk_cpy(iocsp->uri, ocsp_uri))
+			iocsp->uri = calloc(1, sizeof(*iocsp->uri));
+			if (!chunk_dup(iocsp->uri, ocsp_uri)) {
+				ha_free(&iocsp->uri);
 				goto out;
+			}
 
 			ssl_ocsp_update_insert(iocsp);
 		}