[openssl-dev] [openssl.org #3670] Bug in str_copy in conf_def.c [PATCH]
Perrow, Graeme via RT
rt at openssl.org
Tue Jan 20 18:55:16 UTC 2015
A scanning tool we use to scan our code for runtime problems such as buffer overruns, possible NULL pointer dereferencing, memory leaks, etc. has found a bug in the str_copy routine in conf_def.c. At line 621 (in 1.0.1k), there is a call to BUF_MEM_grow_clean but the return value is not checked. If that call fails, we continue to use the memory assuming the expansion succeeded and will either dereference NULL (if the buffer was empty to begin with) or likely write off the end of the buffer.
I have attached a patch.
Graeme Perrow
-------------- next part --------------
A non-text attachment was scrubbed...
Name: str_cpy.patch
Type: application/octet-stream
Size: 542 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150120/6dbdb327/attachment.obj>
More information about the openssl-dev
mailing list