PATCH: nnrpd/tls.c - fix stack overflow

Chris Caputo ccaputo at alt.net
Wed May 21 15:11:52 UTC 2008


Please consider the following patch for nnrpd/tls.c.  It should apply to 
inn-2.4.2 through 2.4.4.

When an article of a size greater than remaining stack are retrieved via 
SSL, a segmentation fault will occur due to the use of alloca().

The below patch uses heap based realloc() instead of stack based alloca(), 
with a static buffer growing as needed.

I used realloc() instead of malloc() for performance reasons since this 
function is called frequently.  The caveat is that the memory is never 
free()'ed, so if more correct code is desired you may want to adjust this.

Thanks,
Chris

diff -upr nnrpd-stock/tls.c nnrpd/tls.c
--- nnrpd-stock/tls.c	2004-12-22 04:21:19.000000000 +0000
+++ nnrpd/tls.c	2008-05-21 14:55:52.000000000 +0000
@@ -32,37 +32,6 @@
 #include <sys/stat.h>
 #include <sys/uio.h>
 
-/* taken from lib/parsedate.c */
-#ifndef WRITEV_USE_ALLOCA
-#ifdef alloca
-#define WRITEV_USE_ALLOCA
-#else /* alloca not defined */
-#ifdef __GNUC__
-#define WRITEV_USE_ALLOCA
-#define alloca __builtin_alloca
-#else /* not GNU C.  */
-#if (!defined (__STDC__) && defined (sparc)) || defined (__sparc__) || defined (__sparc) || defined (__sgi) || (defined (__sun) && defined (__i386))
-#define WRITEV_USE_ALLOCA
-#include <alloca.h>
-#else /* not sparc */
-#if (defined (_MSDOS) || defined (_MSDOS_)) && !defined (__TURBOC__)
-#else /* not MSDOS, or __TURBOC__ */
-#if defined(_AIX)
- #pragma alloca
-#define WRITEV_USE_ALLOCA
-#endif /* not _AIX */
-#endif /* not MSDOS, or __TURBOC__ */
-#endif /* not sparc */
-#endif /* not GNU C */
-#endif /* alloca not defined */
-#endif /* WRITEV_USE_ALLOCA not defined */
-#ifdef WRITEV_USE_ALLOCA
-#define WRITEV_ALLOC alloca
-#else
-#define WRITEV_ALLOC malloc
-#endif
-
-
 #endif
 
 /* outside the ifdef so `make depend` works even ifndef HAVE_SSL */
@@ -698,7 +667,8 @@ SSL_writev (ssl, vector, count)
      const struct iovec *vector;
      int count;
 {
-  char *buffer;
+  static char *buffer = NULL;
+  static size_t allocsize = 0;
   char *bp;
   size_t bytes, to_copy;
   int i;
@@ -706,8 +676,20 @@ SSL_writev (ssl, vector, count)
   bytes = 0;
   for (i = 0; i < count; ++i)
     bytes += vector[i].iov_len;
-  /* Allocate a temporary buffer to hold the data.  */
-  buffer = (char *) WRITEV_ALLOC (bytes);
+  /* Allocate a buffer to hold the data.  */
+  if (NULL == buffer)
+    {
+      buffer = (char *) xmalloc(bytes);
+      allocsize = bytes;
+    }
+  else
+    {
+      if (bytes > allocsize)
+        {
+          buffer = (char *) xrealloc (buffer, bytes);
+          allocsize = bytes;
+	}
+    }
   /* Copy the data into BUFFER.  */
   to_copy = bytes;
   bp = buffer;


More information about the inn-workers mailing list