[openssl-dev] [openssl.org #4023] heap overflow in openssl-1.0.2d
Nicholas Cooper via RT
rt at openssl.org
Thu Aug 27 10:21:05 UTC 2015
The callstack is as follow.
level function filename (line number)
0 BN_bn2bin openssl-1.0.2d/crypto/bn/bn_lib.c (652)
1 RSA_eay_public_encrypt openssl-1.0.2d/crypto/rsa/rsa_eay.c (239)
2 RSA_public_encrypt openssl-1.0.2d/crypto/rsa/rsa_crpt.c (85)
3 EVP_PKEY_encrypt_old openssl-1.0.2d/crypto/evp/p_enc.c (81)
4 EVP_SealInit openssl-1.0.2d/crypto/evp/p_seal.c (94)
5 main my.cpp
In the while-loop of BN_bn2bin(), the *(to++) statement falsely
overwrites my dynamically-allocated object. Apparently, the return value
of BN_num_bytes() is incorrect, so the while-loop goes out of control.
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
More information about the openssl-dev
mailing list