From 3ab50ccba484449ce4762faa627f9287a1855f82 Mon Sep 17 00:00:00 2001 From: Christian Spielberger Date: Tue, 15 Nov 2022 16:50:40 +0100 Subject: [PATCH] tls: avoid some clang warnings --- src/tls/openssl/tls.c | 12 ++++++++++-- src/tls/openssl/tls_tcp.c | 2 +- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/src/tls/openssl/tls.c b/src/tls/openssl/tls.c index b48985028..ce4f28341 100644 --- a/src/tls/openssl/tls.c +++ b/src/tls/openssl/tls.c @@ -1953,6 +1953,9 @@ int bio_sni_from_client_hello(BIO *bio, struct pl *sni) /* Server Name length */ err = pl_bin_u16(&sniext, &sn_len); + if (err) + return err; + if (sn_len >= TLSEXT_MAXLEN_host_name) return EINVAL; @@ -2112,6 +2115,7 @@ struct tls_cert *tls_cert_for_sni(const struct tls *tls, const struct pl *sni) { struct tls_cert *tls_cert = NULL; struct le *le; + int sz; char *cn; if (!tls || !list_head(&tls->certs)) @@ -2120,7 +2124,11 @@ struct tls_cert *tls_cert_for_sni(const struct tls *tls, const struct pl *sni) if (!pl_isset(sni)) return list_head(&tls->certs)->data; - cn = mem_zalloc(sni->l + 1, NULL); + if (sni->l >= TLSEXT_MAXLEN_host_name) + return NULL; + + sz = (int) sni->l + 1; + cn = mem_zalloc(sz, NULL); LIST_FOREACH(&tls->certs, le) { X509 *x509; X509_NAME *nm; @@ -2135,7 +2143,7 @@ struct tls_cert *tls_cert_for_sni(const struct tls *tls, const struct pl *sni) } nm = X509_get_subject_name(x509); - X509_NAME_get_text_by_NID(nm, NID_commonName, cn, sni->l + 1); + X509_NAME_get_text_by_NID(nm, NID_commonName, cn, sz); if (!pl_strcmp(sni, cn)) break; diff --git a/src/tls/openssl/tls_tcp.c b/src/tls/openssl/tls_tcp.c index edaa0399b..4b9599c0f 100644 --- a/src/tls/openssl/tls_tcp.c +++ b/src/tls/openssl/tls_tcp.c @@ -216,7 +216,7 @@ static bool estab_handler(int *err, bool active, void *arg) static int tls_use_cert(struct tls_conn *tc, struct tls_cert *uc) { int err; - int r; + long r; #if !defined(LIBRESSL_VERSION_NUMBER) SSL_certs_clear(tc->ssl);