[PATCH] server_name: Store the actual number of server names
Martin Storsjo
martin at martin.st
Wed Oct 31 14:45:15 CET 2012
Earlier, if the number of set server names exceeded the maximum,
the server_names field wasn't bounded to the maximum, which could
lead to reading out of bounds in _gnutls_server_name_send_params.
---
lib/ext/server_name.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/ext/server_name.c b/lib/ext/server_name.c
index 005d80b..ad449ad 100644
--- a/lib/ext/server_name.c
+++ b/lib/ext/server_name.c
@@ -391,21 +391,21 @@ gnutls_server_name_set (gnutls_session_t session,
server_names = priv->server_names_size + 1;
if (server_names > MAX_SERVER_NAME_EXTENSIONS)
server_names = MAX_SERVER_NAME_EXTENSIONS;
priv->server_names[server_names - 1].type = type;
memcpy (priv->server_names[server_names - 1].name, name, name_length);
priv->server_names[server_names - 1].name_length = name_length;
- priv->server_names_size++;
+ priv->server_names_size = server_names;
if (set != 0)
_gnutls_ext_set_session_data (session, GNUTLS_EXTENSION_SERVER_NAME,
epriv);
return 0;
}
static void
_gnutls_server_name_deinit_data (extension_priv_data_t priv)
--
1.7.9.4
More information about the Gnutls-devel
mailing list