[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Thu Jun 4 08:34:19 UTC 2015
The branch master has been updated
via c56353071d9849220714d8a556806703771b9269 (commit)
from 7322abf5cefdeb47c7d61f3b916c428bf2cd69b6 (commit)
- Log -----------------------------------------------------------------
commit c56353071d9849220714d8a556806703771b9269
Author: Matt Caswell <matt at openssl.org>
Date: Tue May 19 13:59:47 2015 +0100
Fix off-by-one error in BN_bn2hex
A BIGNUM can have the value of -0. The function BN_bn2hex fails to account
for this and can allocate a buffer one byte too short in the event of -0
being used, leading to a one byte buffer overrun. All usage within the
OpenSSL library is considered safe. Any security risk is considered
negligible.
With thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke and
Filip Palian for discovering and reporting this issue.
Reviewed-by: Tim Hudson <tjh at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
crypto/bn/bn_print.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c
index b0b70b5..f528a36 100644
--- a/crypto/bn/bn_print.c
+++ b/crypto/bn/bn_print.c
@@ -71,7 +71,12 @@ char *BN_bn2hex(const BIGNUM *a)
char *buf;
char *p;
- buf = OPENSSL_malloc(a->top * BN_BYTES * 2 + 2);
+ if (a->neg && BN_is_zero(a)) {
+ /* "-0" == 3 bytes including NULL terminator */
+ buf = OPENSSL_malloc(3);
+ } else {
+ buf = OPENSSL_malloc(a->top * BN_BYTES * 2 + 2);
+ }
if (buf == NULL) {
BNerr(BN_F_BN_BN2HEX, ERR_R_MALLOC_FAILURE);
goto err;
More information about the openssl-commits
mailing list