[openssl-users] CVE-2016-2180

Matthias Apitz guru at unixarea.de
Fri Sep 16 06:33:25 UTC 2016


El día Thursday, September 15, 2016 a las 09:00:07PM -0700, sivagopiraju escribió:

> -   int len = OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
> -    BIO_write(bio, obj_txt, len);
> -    BIO_write(bio, "\n", 1);
> +    OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
> +    BIO_printf(bio, "%s\n", obj_txt);
> 
> Here, used BIO_printf instead of BIO_write, is it solve the issue?
> 
> Can you please elaborate it, did't understand the solution.

The man page for OBJ_obj2txt() says what the function is doing and what
the parms are used for or must be, but does not specify what its return
value is, only that it is 'int'. Maybe it does not return the length of
the resulting string.

	matthias
-- 
Matthias Apitz, ✉ guru at unixarea.de, ⌂ http://www.unixarea.de/  ☎ +49-176-38902045
"Ohne die Mauer hätte es Krieg gegeben" Fritz Streletz u.a.
"Sin el Muro hubiese habido guerra."


More information about the openssl-users mailing list