From: Remi Tricot-Le Breton Date: Mon, 9 Jan 2023 11:02:48 +0000 (+0100) Subject: MINOR: ssl: Limit ocsp_uri buffer size to minimum X-Git-Tag: v2.8-dev2~82 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=648c83ecddba78f0235260fc2eab44e4524563dc;p=thirdparty%2Fhaproxy.git MINOR: ssl: Limit ocsp_uri buffer size to minimum The ocsp_uri field of the certificate_ocsp structure was a 16k buffer when it could be hand allocated to just the required size to store the OCSP uri. This field is now behaving the same way as the sctl and ocsp_response buffers of the ckch_store structure. --- diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c index 4b1b65961f..73679cbd47 100644 --- a/src/ssl_ocsp.c +++ b/src/ssl_ocsp.c @@ -373,8 +373,10 @@ void ssl_sock_free_ocsp(struct certificate_ocsp *ocsp) sk_X509_pop_free(ocsp->chain, X509_free); ocsp->chain = NULL; chunk_destroy(&ocsp->response); - free_trash_chunk(ocsp->uri); - ocsp->uri = NULL; + if (ocsp->uri) { + ha_free(&ocsp->uri->area); + ha_free(&ocsp->uri); + } free(ocsp); } diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 18d006feb5..5bdab8cccb 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1255,11 +1255,11 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X50 if (data->chain) iocsp->chain = X509_chain_up_ref(data->chain); - iocsp->uri = alloc_trash_chunk(); - if (!iocsp->uri) - goto out; - if (!chunk_cpy(iocsp->uri, ocsp_uri)) + iocsp->uri = calloc(1, sizeof(*iocsp->uri)); + if (!chunk_dup(iocsp->uri, ocsp_uri)) { + ha_free(&iocsp->uri); goto out; + } ssl_ocsp_update_insert(iocsp); }