[openssl/openssl] 0d1a0e: Avoid potential OOB if width > sizeof(start)

pauli noreply at reply.github.openssl.org
Mon May 23 00:07:33 UTC 2022 

  Branch: refs/heads/master
  Home:   https://github.openssl.org/openssl/openssl
  Commit: 0d1a0ed63d1b4faa3711a69a19f7029947524cfa
      https://github.openssl.org/openssl/openssl/commit/0d1a0ed63d1b4faa3711a69a19f7029947524cfa
  Author: Benny Baumann <BenBE at geshi.org>
  Date:   2022-05-23 (Mon, 23 May 2022)

  Changed paths:
    M apps/lib/opt.c

  Log Message:
  -----------
  Avoid potential OOB if width > sizeof(start)

This can't currently happen due to sizeof(start) being way larger than MAX_OPT_HELP_WIDTH,
but wasn't checked for previously. With this patch there still remains one (static) OOB,
when the length of the option name and the valtype2param string for that argument overflow
the buffer in opt_print. This is kinda unlikely, unless someone intentionally crafts a
long option name, in which case this would become some trivial stack buffer overrun with
possibility to overwrite pointer to the OPTIONS structure (a long o->name is critical here).

I sincerely hope we trust our built-in documentation to not exploit ourselves.

Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12265)


  Commit: aac6ae3774f341412bc45583ef9358df5b76a008
      https://github.openssl.org/openssl/openssl/commit/aac6ae3774f341412bc45583ef9358df5b76a008
  Author: Benny Baumann <BenBE at geshi.org>
  Date:   2022-05-23 (Mon, 23 May 2022)

  Changed paths:
    M apps/lib/opt.c

  Log Message:
  -----------
  Avoid unchecked string concatenation

To avoid the issue of overflowing the buffer start while
building up the help string prefix this rewrite of the
string building logic does multiple smaller writes to
opt_printf_stderr. While this is slower it completely
avoids the buffer overflow issue and does not place
any (unchecked) length constraints on the name of passed
options. Instead such long options are gracefully
wrapped onto the next line.

Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12265)


Compare: https://github.openssl.org/openssl/openssl/compare/fb4cdca053fb...aac6ae3774f3

More information about the openssl-commits mailing list