src/*.c: Minor documentation updates.

[tlsproxy/tlsproxy.git] / src / connection.c

diff --git a/src/connection.c b/src/connection.c
index 1d94d79654323dec4875aa4e7f9724f2d49208c5..bfdac1c6db59df105ae2ac9fdc659be004da9e3a 100644 (file)
--- a/src/connection.c
+++ b/src/connection.c
@@ -31,9 +31,10 @@
 #include <errno.h>
 
 
-/* Maximum line of a HTTP request line. Longer request lines are aborted with
- * an error. The standard doesn't specify a maximum line length but this
- * should be a good limit to make processing simpler. */
+/* Maximum length of a HTTP request line. Longer request lines are aborted
+ * with an error. The standard doesn't specify a maximum line length but this
+ * should be a good limit to make processing simpler. As HTTPS is used this
+ * doesn't limit long GET requests. */
 #define MAX_REQUEST_LINE 4096
 
 /* Format string used to send HTTP/1.0 error responses to the client.
@@ -216,7 +217,7 @@ void handle_connection(int client_socket) {
 
             goto out;
         }
-        /* server_certificate_path() may open the file, close it. */
+        /* server_certificate_path() may have opened the file, close it. */
         if (NULL != file) {
             fclose(file);
         }
@@ -257,7 +258,7 @@ void handle_connection(int client_socket) {
 
     /* Initialize TLS server credentials to talk to the client. */
     result = initialize_tls_session_client(client_socket,
-                                           /* use special host if the server
+                                           /* use a special host if the server
                                             * certificate was invalid */
                                            (validation_failed) ? "invalid"
                                                                : host,
@@ -371,7 +372,16 @@ static int initialize_tls_session_client(int peer_socket,
             hostname);
         return -1;
     }
-    snprintf(path, sizeof(path), PROXY_SERVER_CERT_FORMAT, hostname);
+    result = snprintf(path, sizeof(path), PROXY_SERVER_CERT_FORMAT, hostname);
+    if (result < 0) {
+        LOG_PERROR(LOG_ERROR,
+                   "initialize_tls_session_client(): snprintf failed");
+        return -1;
+    } else if ((size_t)result >= sizeof(path)) {
+        LOG(LOG_ERROR,
+            "initialize_tls_session_client(): snprintf buffer too short");
+        return -1;
+    }
 
     result = gnutls_certificate_allocate_credentials(x509_cred);
     if (GNUTLS_E_SUCCESS != result) {
@@ -555,15 +565,26 @@ static void tls_send_invalid_cert_message(gnutls_session_t session) {
 #define RESPONSE_ERROR "500 Internal Server Error"
 #define RESPONSE_MSG   "Server certificate validation failed, check logs."
 
+    int result;
     char buffer[sizeof(HTTP_RESPONSE_FORMAT) - 1 /* '\0' */
                                              - 4 * 2 /* four %s */
                 + (sizeof(RESPONSE_ERROR) - 1 /* '\0' */) * 3
                 + sizeof(RESPONSE_MSG)    - 1 /* '\0' */
                 + 1 /* '\0' */];
 
-    snprintf(buffer, sizeof(buffer),
-             HTTP_RESPONSE_FORMAT,
-             RESPONSE_ERROR, RESPONSE_ERROR, RESPONSE_ERROR, RESPONSE_MSG);
+    result = snprintf(buffer, sizeof(buffer),
+                      HTTP_RESPONSE_FORMAT,
+                      RESPONSE_ERROR, RESPONSE_ERROR, RESPONSE_ERROR,
+                      RESPONSE_MSG);
+    if (result < 0) {
+        LOG_PERROR(LOG_ERROR,
+                   "tls_send_invalid_cert_message(): snprintf failed");
+        return;
+    } else if ((size_t)result >= sizeof(buffer)) {
+        LOG(LOG_ERROR,
+            "tls_send_invalid_cert_message(): snprintf buffer too short");
+        return;
+    }
 
     gnutls_record_send(session, buffer, sizeof(buffer) - 1);
                                         /* don't send trailing '\0' */