[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Sat Oct 15 10:36:32 UTC 2016


The branch master has been updated
       via  e5c1361580d8de79682958b04a5f0d262e680f8b (commit)
      from  3ff3ee7a19e84076f67beeda1cf5e9d8b2380429 (commit)


- Log -----------------------------------------------------------------
commit e5c1361580d8de79682958b04a5f0d262e680f8b
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Oct 12 16:43:03 2016 +0100

    Ensure we handle len == 0 in ERR_err_string_n
    
    If len == 0 in a call to ERR_error_string_n() then we can read beyond the
    end of the buffer. Really applications should not be calling this function
    with len == 0, but we shouldn't be letting it through either!
    
    Thanks to Agostino Sarubbo for reporting this issue. Agostino's blog on
    this issue is available here:
    https://blogs.gentoo.org/ago/2016/10/14/openssl-libcrypto-stack-based-buffer-overflow-in-err_error_string_n-err-c/
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/err/err.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/crypto/err/err.c b/crypto/err/err.c
index c3f7212..29e5a03 100644
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -500,6 +500,9 @@ void ERR_error_string_n(unsigned long e, char *buf, size_t len)
     const char *ls, *fs, *rs;
     unsigned long l, f, r;
 
+    if (len == 0)
+        return;
+
     l = ERR_GET_LIB(e);
     f = ERR_GET_FUNC(e);
     r = ERR_GET_REASON(e);


More information about the openssl-commits mailing list