@@ -421,9 +421,30 @@ static int PopulateResponderFromIndex(OcspResponder* responder, IndexEntry* inde
421421 word32 i ;
422422
423423 /* Convert hex string to bytes */
424- serialLen = (word32 )XSTRLEN (entry -> serial ) / 2 ;
425- if (serialLen == 0 || serialLen > sizeof (serial )) {
426- continue ;
424+ {
425+ word32 hexLen = (word32 )XSTRLEN (entry -> serial );
426+ word32 j ;
427+
428+ /* Reject odd-length hex strings */
429+ if (hexLen % 2 != 0 ) {
430+ LOG_ERROR ("Invalid hex serial length (odd): %u\n" , hexLen );
431+ return BAD_FUNC_ARG ;
432+ }
433+
434+ serialLen = hexLen / 2 ;
435+ if (serialLen == 0 || serialLen > sizeof (serial )) {
436+ return BAD_FUNC_ARG ;
437+ }
438+
439+ /* Validate all characters are hex digits */
440+ for (j = 0 ; j < hexLen ; j ++ ) {
441+ char c = p [j ];
442+ if (!((c >= '0' && c <= '9' ) || (c >= 'a' && c <= 'f' ) ||
443+ (c >= 'A' && c <= 'F' ))) {
444+ LOG_ERROR ("Invalid hex character in serial: '%c'\n" , c );
445+ return BAD_FUNC_ARG ;
446+ }
447+ }
427448 }
428449
429450 for (i = 0 ; i < serialLen ; i ++ ) {
@@ -593,6 +614,11 @@ static int SendHttpResponse(SOCKET_T clientfd, const byte* ocspResp, int ocspRes
593614 "Connection: close\r\n"
594615 "\r\n" , ocspRespSz );
595616
617+ if (headerLen < 0 || headerLen >= (int )sizeof (header )) {
618+ LOG_ERROR ("HTTP header truncated\n" );
619+ return -1 ;
620+ }
621+
596622 /* Send header */
597623 {
598624 int totalSent = 0 ;
@@ -639,6 +665,12 @@ static int SendHttpError(SOCKET_T clientfd, int statusCode, const char* statusMs
639665 "\r\n"
640666 "%s" , statusCode , statusMsg , (int )XSTRLEN (statusMsg ), statusMsg );
641667
668+ /* Handle snprintf error or truncation to avoid sending out-of-bounds data. */
669+ if (len < 0 || len >= (int )sizeof (response )) {
670+ LOG_ERROR ("HTTP error response truncated\n" );
671+ return -1 ;
672+ }
673+
642674 sent = (int )send (clientfd , response , (size_t )len , 0 );
643675 return (sent == len ) ? 0 : -1 ;
644676}
0 commit comments