enforce OCSP_MAX_RESPONSE_SIZE (#38)

Chenjp · web-flow · commit 03216f540045 · 2026-02-06T19:49:21.000Z
Introduce a hard limit of 64 KB for OCSP responses
diff --git a/native/src/sslutils.c b/native/src/sslutils.c
@@ -892,6 +892,7 @@ static OCSP_RESPONSE *parse_ocsp_resp(char *buf, int len)
 /* Reads the response from the APR socket to a buffer, and parses the buffer to
    return the OCSP response  */
 #define BUFFER_SIZE 512
+#define OCSP_MAX_RESPONSE_SIZE 65536
 static OCSP_RESPONSE *ocsp_get_resp(apr_pool_t *mp, apr_socket_t *sock)
 {
     int buflen;
@@ -914,7 +915,10 @@ static OCSP_RESPONSE *ocsp_get_resp(apr_pool_t *mp, apr_socket_t *sock)
         readlen = sizeof(tmpbuf);
         rv = apr_socket_recv(sock, tmpbuf, &readlen);
         if (rv == APR_SUCCESS) { /* if we have read something .. we can put it in the buffer*/
-            if ((totalread + readlen) >= buflen) {
+            if ((totalread + readlen) > OCSP_MAX_RESPONSE_SIZE) {
+                apr_pool_destroy(p);
+                return NULL;
+            } else if ((totalread + readlen) >= buflen) {
                 buf = apr_xrealloc(buf, buflen, buflen * 2, p);
                 if (buf == NULL) {
                     apr_pool_destroy(p);
