[gnutls-dev] [PATCH] gnutls_session_get_id overflow handling

Joe Orton joe at manyfish.co.uk
Tue Nov 29 20:31:25 CET 2005


Errr, sorry, I was completely confused and talking about the wrong 
function having been separately trying to track down why my _get_data 
usage was wrong with 1.3.0.  I meant gnutls_session_get_id.

In 1.3.0, gnutls_session_get_id() will silently overflow the passed-in 
buffer if it's too short.  This is even more surprising behaviour!

How does this look: (compiled and even tested)

* lib/gnutls_session.c (gnutls_session_get_id): If a non-NULL buffer
is given, fail if the given size is too short rather than silently
overflowing the buffer.

--- ./gnutls_session.c.sessid	2005-11-15 15:53:09.000000000 +0000
+++ ./gnutls_session.c	2005-11-29 19:23:29.000000000 +0000
@@ -126,13 +126,20 @@
 		       void *session_id, size_t * session_id_size)
 {
 
-  *session_id_size = session->security_parameters.session_id_size;
-
   /* just return the session size */
   if (session_id == NULL)
     {
+      *session_id_size = session->security_parameters.session_id_size;
       return 0;
     }
+
+  if (*session_id_size < session->security_parameters.session_id_size)
+    {
+      return GNUTLS_E_SHORT_MEMORY_BUFFER;
+    }
+
+  *session_id_size = session->security_parameters.session_id_size;
+
   memcpy (session_id, &session->security_parameters.session_id,
 	  *session_id_size);
 




More information about the Gnutls-dev mailing list