[openssl-dev] [openssl.org #4662] overflow check missing on BIO_new_file

Salz, Rich via RT rt at openssl.org
Sat Aug 27 14:02:19 UTC 2016 

From: Sunil Singh [mailto:ekodeveloper0 at gmail.com]
Sent: Saturday, August 27, 2016 2:42 AM
To: Salz, Rich; openssl-security at openssl.org
Subject: Re: [openssl-security] Multiple issue with BIO_new_file Internal function (potential stack overflow/Crash)


I don't think its right to say that its not a security bug, if somebody pass a huge filename string which results is _alloca failure obviously its leads to stack overflow

on the same grounds i can lightly compare it to malloc and not checking its return value?

Input to function can come from any place why do you think its should not be validated?

Also if i agrees with you  i can say simply strlen(...) is also valid then but its depreciated by MSFT and other strlen_l(...) is provided which  accept size

For you  convenience  check this
http://linux.die.net/man/3/alloca<https://urldefense.proofpoint.com/v2/url?u=http-3A__linux.die.net_man_3_alloca&d=DQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=_xenUXw54Vwrmr9QVCWYxSONPQG94qwrC9F7G7ZdMRs&s=d3M070FP5xpSNFJlZjfQrt1V6g2ye8RbAsBw7qDF2Zo&e=>

http://stackoverflow.com/questions/1018853/why-is-the-use-of-alloca-not-considered-good-practice<https://urldefense.proofpoint.com/v2/url?u=http-3A__stackoverflow.com_questions_1018853_why-2Dis-2Dthe-2Duse-2Dof-2Dalloca-2Dnot-2Dconsidered-2Dgood-2Dpractice&d=DQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=_xenUXw54Vwrmr9QVCWYxSONPQG94qwrC9F7G7ZdMRs&s=hOMJ7I8gD1x8k9rv16QJesfvbGKSCsEdufsBAYtkIKk&e=>

Also previously i provided already MSFT link which clearly mentions about its usage

Thanks


On Fri, Aug 26, 2016 at 10:44 PM, Salz, Rich <rsalz at akamai.com<mailto:rsalz at akamai.com>> wrote:
This is not a security bug; an application program could mis-use the API.

Thanks for looking at the code!

--
Senior Architect, Akamai Technologies
IM: richsalz at jabber.at<mailto:richsalz at jabber.at> Twitter: RichSalz

From: Sunil Singh [mailto:ekodeveloper0 at gmail.com<mailto:ekodeveloper0 at gmail.com>]
Sent: Friday, August 26, 2016 1:09 PM
To: openssl-security at openssl.org<mailto:openssl-security at openssl.org>
Subject: [openssl-security] Multiple issue with BIO_new_file Internal function (potential stack overflow/Crash)

Hello,

While working on the program of https://hackerone.com/ibb-openssl<https://urldefense.proofpoint.com/v2/url?u=https-3A__hackerone.com_ibb-2Dopenssl&d=DQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=O8lneP_6_5N9qiCekWJOk7IstOy6tCiTBi3rMhcTchQ&s=wNNnK1nNjPnJhjd9CDXvAHuCzefnlYSwSb9hfmXaiss&e=> this was found

Report Below:-

Function Design issue

1. in BIO_new_file no check of  filename param
2. in internal function call
static FILE *file_fopen(const char *filename, const char *mode)

again no check of filename  param

3. At   WCHAR *wfilename = _alloca(sz * sizeof(WCHAR))
Refer to https://msdn.microsoft.com/en-us/library/wb1s57t5.aspx<https://urldefense.proofpoint.com/v2/url?u=https-3A__msdn.microsoft.com_en-2Dus_library_wb1s57t5.aspx&d=DQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=O8lneP_6_5N9qiCekWJOk7IstOy6tCiTBi3rMhcTchQ&s=3Ph_yoB8OERME1nlep5G0JENm0w51OnCbZaLDpAdHqM&e=>

 for proper use of  _alloca  it must be guarded  can cause stack overflow in case stack memory not fulfilled  and again  no return value(wfilename ) is checked


Thanks,
Sunil Singh


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4662
Please log in as guest with password guest if prompted

More information about the openssl-dev mailing list