[openssl-commits] [openssl] OpenSSL_0_9_8-stable update
Matt Caswell
matt at openssl.org
Thu Jun 4 08:35:27 UTC 2015
The branch OpenSSL_0_9_8-stable has been updated
via 9759ff0cd908270fad328ba7f35fed021e619868 (commit)
from f9603f2673154bfba52d24654bc6e5f5dd19a88a (commit)
- Log -----------------------------------------------------------------
commit 9759ff0cd908270fad328ba7f35fed021e619868
Author: Matt Caswell <matt at openssl.org>
Date: Tue May 19 13:59:47 2015 +0100
Fix off-by-one error in BN_bn2hex
A BIGNUM can have the value of -0. The function BN_bn2hex fails to account
for this and can allocate a buffer one byte too short in the event of -0
being used, leading to a one byte buffer overrun. All usage within the
OpenSSL library is considered safe. Any security risk is considered
negligible.
With thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke and
Filip Palian for discovering and reporting this issue.
Reviewed-by: Tim Hudson <tjh at openssl.org>
(cherry picked from commit c56353071d9849220714d8a556806703771b9269)
Conflicts:
crypto/bn/bn_print.c
-----------------------------------------------------------------------
Summary of changes:
crypto/bn/bn_print.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c
index 15bc51a..6117653 100644
--- a/crypto/bn/bn_print.c
+++ b/crypto/bn/bn_print.c
@@ -71,7 +71,12 @@ char *BN_bn2hex(const BIGNUM *a)
char *buf;
char *p;
- buf = (char *)OPENSSL_malloc(a->top * BN_BYTES * 2 + 2);
+ if (a->neg && BN_is_zero(a)) {
+ /* "-0" == 3 bytes including NULL terminator */
+ buf = OPENSSL_malloc(3);
+ } else {
+ buf = OPENSSL_malloc(a->top * BN_BYTES * 2 + 2);
+ }
if (buf == NULL) {
BNerr(BN_F_BN_BN2HEX, ERR_R_MALLOC_FAILURE);
goto err;
More information about the openssl-commits
mailing list