[openssl-dev] [openssl.org #3955] [PATCH] Reduce stack usage in PKCS7_verify()
David Woodhouse via RT
rt at openssl.org
Thu Jul 23 18:22:50 UTC 2015
From: "Long, Qin" <qin.long at intel.com>
Some environments, such as 32-bit UEFI, have strict limits on stack size.
Using a 4KiB buffer on the stack for reading from p7bio is somewhat
excessive, so allocate it on the heap instead.
---
Alternatively, we could leave it on the stack and reduce it to 256
bytes or something like that. It's not as if performance is really an
issue here if we do that, right?
crypto/pkcs7/pk7_smime.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c
index e52e746..077b06d 100644
--- a/crypto/pkcs7/pk7_smime.c
+++ b/crypto/pkcs7/pk7_smime.c
@@ -253,7 +253,8 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
PKCS7_SIGNER_INFO *si;
X509_STORE_CTX cert_ctx;
- char buf[4096];
+ char *buf = NULL;
+ int bufsiz;
int i, j = 0, k, ret = 0;
BIO *p7bio;
BIO *tmpin, *tmpout;
@@ -365,9 +366,14 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
} else
tmpout = out;
+ bufsiz = 4096;
+ buf = OPENSSL_malloc(bufsiz);
+ if (buf == NULL) {
+ goto err;
+ }
/* We now have to 'read' from p7bio to calculate digests etc. */
for (;;) {
- i = BIO_read(p7bio, buf, sizeof(buf));
+ i = BIO_read(p7bio, buf, bufsiz);
if (i <= 0)
break;
if (tmpout)
@@ -407,6 +413,10 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
sk_X509_free(signers);
+ if (buf != NULL) {
+ OPENSSL_free(buf);
+ }
+
return ret;
}
--
2.4.3
--
David Woodhouse Open Source Technology Centre
David.Woodhouse at intel.com Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150723/c49a7a19/attachment.bin>
-------------- next part --------------
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
More information about the openssl-dev
mailing list