[openssl/openssl] d41b26: ossl-params: check length returned by strlen()

James Muir noreply at github.com
Tue Dec 12 19:00:09 UTC 2023


  Branch: refs/heads/openssl-3.1
  Home:   https://github.com/openssl/openssl
  Commit: d41b2671243695a38559ba2de940f25abb5f465d
      https://github.com/openssl/openssl/commit/d41b2671243695a38559ba2de940f25abb5f465d
  Author: James Muir <james at openssl.org>
  Date:   2023-12-12 (Tue, 12 Dec 2023)

  Changed paths:
    M crypto/param_build.c

  Log Message:
  -----------
  ossl-params: check length returned by strlen()

In param_build.c, the functions OSSL_PARAM_BLD_push_utf8_string() and
OSSL_PARAM_BLD_push_utf8_ptr() use strlen() to compute the length of
the string when bsize is zero.  However, the size_t returned by
strlen() might be too large (it is stored in an intermediate "int"),
so check for that.

There are analogous functions in params.c, but they do not use an
intermediate "int" to store the size_t returned by strlen().  So there
is some inconsistency between the implementations.

Credit to Viktor D and Tomas M for spotting these missing checks.

Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22967)

(cherry picked from commit d4d6694aa710c9970410a6836070daa6486a0ac0)




More information about the openssl-commits mailing list