From 18780db8539929b9e85ef79bc9c4d14c0cedab98 Mon Sep 17 00:00:00 2001 From: Simon Cruanes Date: Wed, 9 Aug 2023 16:05:36 -0400 Subject: [PATCH] security: zero out buffers from pool before reusing them --- src/Tiny_httpd_buf.ml | 4 ++++ src/Tiny_httpd_buf.mli | 4 ++++ src/Tiny_httpd_server.ml | 2 +- 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/src/Tiny_httpd_buf.ml b/src/Tiny_httpd_buf.ml index 30cc1a45..fcc89933 100644 --- a/src/Tiny_httpd_buf.ml +++ b/src/Tiny_httpd_buf.ml @@ -16,6 +16,10 @@ let clear self : unit = self.bytes <- self.original; self.i <- 0 +let clear_and_zero self = + clear self; + Bytes.fill self.bytes 0 (Bytes.length self.bytes) '\x00' + let resize self new_size : unit = let new_buf = Bytes.make new_size ' ' in Bytes.blit self.bytes 0 new_buf 0 self.i; diff --git a/src/Tiny_httpd_buf.mli b/src/Tiny_httpd_buf.mli index e4d2a5c5..e0c92de2 100644 --- a/src/Tiny_httpd_buf.mli +++ b/src/Tiny_httpd_buf.mli @@ -13,6 +13,10 @@ val clear : t -> unit val create : ?size:int -> unit -> t val contents : t -> string +val clear_and_zero : t -> unit +(** Clear the buffer and zero out its storage. + @since NEXT_RELEASE *) + val bytes_slice : t -> bytes (** Access underlying slice of bytes. @since 0.5 *) diff --git a/src/Tiny_httpd_server.ml b/src/Tiny_httpd_server.ml index 2b95a7d3..94347fe7 100644 --- a/src/Tiny_httpd_server.ml +++ b/src/Tiny_httpd_server.ml @@ -847,7 +847,7 @@ let create_from ?(buf_size = 16 * 1_024) ?(middlewares = []) ~backend () : t = middlewares = []; middlewares_sorted = lazy []; buf_pool = - Pool.create ~clear:Buf.clear + Pool.create ~clear:Buf.clear_and_zero ~mk_item:(fun () -> Buf.create ~size:buf_size ()) (); }