[openssl-users] CVE-2016-2180

Matt Caswell matt at openssl.org
Fri Sep 16 07:57:30 UTC 2016



On 16/09/16 08:05, Matthias Apitz wrote:
> El día Thursday, September 15, 2016 a las 10:35:34PM -0700, sivagopiraju escribió:
> 
>> int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name);
>>
>> OBJ_obj2txt() converts the ASN1_OBJECT a into a textual representation. The
>> representation is written as a null terminated string to buf at most buf_len
>> bytes are written, truncating the result if necessary.* The total amount of
>> space required is returned*. If no_name is 0 then if the object has a long
>> or short name then that will be used, otherwise the numerical form will be
>> used. If no_name is 1 then the numerical form will always be used.
>>
>> Above statement statement saying that *amount of space required is
>> returned*.
> 
> I saw this, but 'amount of space required' is IMHO vague, I'd expect
> 'the length of the resulting string is returned'

That is the heart of the problem. OBJ_obj2txt() does not return what you
might expect. The author of TS_OBJ_print_bio() expected it to return the
length of the resulting string (as you do). However OBJ_obj2txt() might
truncate what it would otherwise produce if the supplied buffer isn't
big enough - but it still returns the length of the untruncated string.

The implementation of TS_OBJ_print_bio() used BIO_write() to print the
string, using the untruncated string length. This is obviously wrong and
could cause an out-of-bounds read. By swapping to BIO_printf() this is
avoided because it only prints the string until it hits the NUL
terminator which should always be within the bounds of the supplied buffer.

Matt





More information about the openssl-users mailing list