[openssl-users] CVE-2016-2180

[sivagopiraju]

int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name);

OBJ_obj2txt() converts the ASN1_OBJECT a into a textual representation. The
representation is written as a null terminated string to buf at most buf_len
bytes are written, truncating the result if necessary.* The total amount of
space required is returned*. If no_name is 0 then if the object has a long
or short name then that will be used, otherwise the numerical form will be
used. If no_name is 1 then the numerical form will always be used.

Above statement statement saying that *amount of space required is
returned*.



Matthias Apitz-4 wrote
> El día Thursday, September 15, 2016 a las 09:00:07PM -0700, sivagopiraju
> escribió:
> 
>> -   int len = OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
>> -    BIO_write(bio, obj_txt, len);
>> -    BIO_write(bio, "\n", 1);
>> +    OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
>> +    BIO_printf(bio, "%s\n", obj_txt);
>> 
>> Here, used BIO_printf instead of BIO_write, is it solve the issue?
>> 
>> Can you please elaborate it, did't understand the solution.
> 
> The man page for OBJ_obj2txt() says what the function is doing and what
> the parms are used for or must be, but does not specify what its return
> value is, only that it is 'int'. Maybe it does not return the length of
> the resulting string.
> 
> 	matthias
> -- 
> Matthias Apitz, ✉ 

> guru@

> , ⌂ http://www.unixarea.de/  ☎ +49-176-38902045
> "Ohne die Mauer hätte es Krieg gegeben" Fritz Streletz u.a.
> "Sin el Muro hubiese habido guerra."
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


*Maybe it does not return the length of the resulting string.
*

It mean return value causing the issue.



--
View this message in context: http://openssl.6102.n7.nabble.com/CVE-2016-2180-tp67815p68387.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.