[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
Matt Caswell
matt at openssl.org
Sat Oct 15 10:36:54 UTC 2016
The branch OpenSSL_1_0_2-stable has been updated
via 02a02319ea6cde904e4bfa3a05fe128fd9b6675c (commit)
from 6d69dc56de8f0535be9ccabea7a8d4e61c04c2f1 (commit)
- Log -----------------------------------------------------------------
commit 02a02319ea6cde904e4bfa3a05fe128fd9b6675c
Author: Matt Caswell <matt at openssl.org>
Date: Wed Oct 12 16:43:03 2016 +0100
Ensure we handle len == 0 in ERR_err_string_n
If len == 0 in a call to ERR_error_string_n() then we can read beyond the
end of the buffer. Really applications should not be calling this function
with len == 0, but we shouldn't be letting it through either!
Thanks to Agostino Sarubbo for reporting this issue. Agostino's blog on
this issue is available here:
https://blogs.gentoo.org/ago/2016/10/14/openssl-libcrypto-stack-based-buffer-overflow-in-err_error_string_n-err-c/
Reviewed-by: Richard Levitte <levitte at openssl.org>
(cherry picked from commit e5c1361580d8de79682958b04a5f0d262e680f8b)
-----------------------------------------------------------------------
Summary of changes:
crypto/err/err.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/crypto/err/err.c b/crypto/err/err.c
index e77d963..52dc9a5 100644
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -868,6 +868,9 @@ void ERR_error_string_n(unsigned long e, char *buf, size_t len)
const char *ls, *fs, *rs;
unsigned long l, f, r;
+ if (len == 0)
+ return;
+
l = ERR_GET_LIB(e);
f = ERR_GET_FUNC(e);
r = ERR_GET_REASON(e);
More information about the openssl-commits
mailing list