[openssl-dev] [openssl.org #2622] Buffer overflow using UI_add_input_string
Richard Levitte via RT
rt at openssl.org
Mon May 16 13:42:16 UTC 2016
Fixing old ticket.
https://github.com/openssl/openssl/pull/1077
On Fri Oct 14 18:14:51 2011, ramsdell at mitre.org wrote:
> TrouSerS is an open-source TCG Software Stack by IBM. It uses OpenSSL
> to read passwords. The code in ssl_ui.c of the trousers library has a
> buffer overflow. I suspect many other applications may have the same
> problem because the documentation is not clear about how
> UI_add_input_string handles terminating null bytes. Here is the nub
> of the issue.
>
> People declare the buffer used by UI_add_input_string as:
>
> char pin_buf[UI_MAX_SECRET_STRING_LENGTH];
>
> and then call UI_add_input_string as:
>
> if (!UI_add_input_string(ui, "Enter PIN:", 0, pin_buf,
> 1, UI_MAX_SECRET_STRING_LENGTH))
>
> The documentation should tell them to use
>
> char pin_buf[UI_MAX_SECRET_STRING_LENGTH + 1];
>
> because there is a buffer overflow as demonstrated by the enclosed C
> program.
>
> $ make LDLIBS=-lcrypto ui
> cc ui.c -lcrypto -o ui
> $ ./ui
> pin_buf[UI_MAX_SECRET_STRING_LENGTH] = 1
> Enter PIN:ab
>
> strlen(pin_buf) = 2
> pin_buf = ab
> pin_buf[UI_MAX_SECRET_STRING_LENGTH] = 0
> $
>
> John
>
--
Richard Levitte
levitte at openssl.org
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=2622
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list