diff options
| author | Theo Buehler <tb@cvs.openbsd.org> | 2023-11-21 16:31:32 +0000 |
|---|---|---|
| committer | Theo Buehler <tb@cvs.openbsd.org> | 2023-11-21 16:31:32 +0000 |
| commit | 7a25b0d02454a5d642e306731f1af121eca117a0 (patch) | |
| tree | a16cc60a0418fc60795cce25615378e46a2c02ac | |
| parent | a03e36e792b6664b00f745fa9c39dfcd2c5c67f2 (diff) | |
Fix a <= 5-byte buffer overwrite in print_bin()
If the offset is > 124, this function would overwrite between 1 and 5 bytes
of stack space after str[128]. So for a quick fix extend the buffer by 5
bytes. Obviously this is the permanent fix chosen elswehere. The proper fix
will be to rewrite this function from scratch.
Reported in detail by Masaru Masuda, many thanks!
Fixes https://github.com/libressl/openbsd/issues/145
begrudging ok from beck
| -rw-r--r-- | lib/libcrypto/ec/eck_prn.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/libcrypto/ec/eck_prn.c b/lib/libcrypto/ec/eck_prn.c index 6e89bfa739a..45e0bc80e94 100644 --- a/lib/libcrypto/ec/eck_prn.c +++ b/lib/libcrypto/ec/eck_prn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: eck_prn.c,v 1.28 2023/07/07 13:54:45 beck Exp $ */ +/* $OpenBSD: eck_prn.c,v 1.29 2023/11/21 16:31:31 tb Exp $ */ /* * Written by Nils Larsch for the OpenSSL project. */ @@ -322,7 +322,8 @@ print_bin(BIO *fp, const char *name, const unsigned char *buf, size_t len, int off) { size_t i; - char str[128]; + /* XXX - redo the function with asprintf/strlcat. */ + char str[128 + 1 + 4]; if (buf == NULL) return 1; |