Address review feedback

julek-wolfssl · julek-wolfssl · commit e9a5c757e0ba · 2026-04-13T12:41:29.000+02:00
- LoadFile now validates fread read the full file size and returns NULL
  on short read.
- ocsp-responder-http checks wolfSSL_Init return value.
- Remove bare scope block around sigaction setup.
diff --git a/ocsp/responder/ocsp-load-certs.h b/ocsp/responder/ocsp-load-certs.h
@@ -46,6 +46,7 @@ static WC_MAYBE_UNUSED byte* LoadFile(const char* path, int* outSz)
     if (!buf) { fclose(f); return NULL; }
     *outSz = (int)fread(buf, 1, (size_t)sz, f);
     fclose(f);
+    if (*outSz != (int)sz) { free(buf); return NULL; }
     return buf;
 }
 
diff --git a/ocsp/responder/ocsp-responder-http.c b/ocsp/responder/ocsp-responder-http.c
@@ -237,6 +237,7 @@ int main(int argc, char** argv)
     word32 caSubjectSz = sizeof(caSubject);
     int sockfd = -1, clientfd, opt = 1, i, ret = 0;
     struct sockaddr_in addr;
+    struct sigaction sa;
 
     if (argc < 4) {
         printf("Usage: %s <port> <ca-cert> <ca-key> [good-cert ...]\n\n"
@@ -252,20 +253,21 @@ int main(int argc, char** argv)
     certFile = argv[2];
     keyFile  = argv[3];
 
-    wolfSSL_Init();
-    {
-        struct sigaction sa;
-        sa.sa_handler = sigHandler;
-        sa.sa_flags = 0; /* No SA_RESTART so accept() returns on signal */
-        sigemptyset(&sa.sa_mask);
-        sigaction(SIGINT, &sa, NULL);
-        sigaction(SIGTERM, &sa, NULL);
-
-        /* Ignore SIGPIPE so client disconnections during writes don't crash */
-        sa.sa_handler = SIG_IGN;
-        sigaction(SIGPIPE, &sa, NULL);
+    if (wolfSSL_Init() != WOLFSSL_SUCCESS) {
+        fprintf(stderr, "wolfSSL_Init failed\n");
+        return 1;
     }
 
+    sa.sa_handler = sigHandler;
+    sa.sa_flags = 0; /* No SA_RESTART so accept() returns on signal */
+    sigemptyset(&sa.sa_mask);
+    sigaction(SIGINT, &sa, NULL);
+    sigaction(SIGTERM, &sa, NULL);
+
+    /* Ignore SIGPIPE so client disconnections during writes don't crash */
+    sa.sa_handler = SIG_IGN;
+    sigaction(SIGPIPE, &sa, NULL);
+
     caCertDer = LoadCertDer(certFile, &caCertDerSz);
     caKeyDer = LoadKeyDer(keyFile, &caKeyDerSz);
     if (!caCertDer || !caKeyDer) {

Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,7 @@ static WC_MAYBE_UNUSED byte* LoadFile(const char* path, int* outSz)`
`46`	`46`	`if (!buf) { fclose(f); return NULL; }`
`47`	`47`	`*outSz = (int)fread(buf, 1, (size_t)sz, f);`
`48`	`48`	`fclose(f);`
	`49`	`+ if (*outSz != (int)sz) { free(buf); return NULL; }`
`49`	`50`	`return buf;`
`50`	`51`	`}`
`51`	`52`