[openssl-dev] [openssl.org #2622] Buffer overflow using UI_add_input_string
Richard Levitte via RT
rt at openssl.org
Mon May 16 16:36:18 UTC 2016
Fixed, both for upcoming 1.1.0 and for 1.0.2.
On Mon May 16 13:42:16 2016, levitte wrote:
> Fixing old ticket.
>
> https://github.com/openssl/openssl/pull/1077
>
> On Fri Oct 14 18:14:51 2011, ramsdell at mitre.org wrote:
> > TrouSerS is an open-source TCG Software Stack by IBM. It uses OpenSSL
> > to read passwords. The code in ssl_ui.c of the trousers library has a
> > buffer overflow. I suspect many other applications may have the same
> > problem because the documentation is not clear about how
> > UI_add_input_string handles terminating null bytes. Here is the nub
> > of the issue.
> >
> > People declare the buffer used by UI_add_input_string as:
> >
> > char pin_buf[UI_MAX_SECRET_STRING_LENGTH];
> >
> > and then call UI_add_input_string as:
> >
> > if (!UI_add_input_string(ui, "Enter PIN:", 0, pin_buf,
> > 1, UI_MAX_SECRET_STRING_LENGTH))
> >
> > The documentation should tell them to use
> >
> > char pin_buf[UI_MAX_SECRET_STRING_LENGTH + 1];
> >
> > because there is a buffer overflow as demonstrated by the enclosed C
> > program.
> >
> > $ make LDLIBS=-lcrypto ui
> > cc ui.c -lcrypto -o ui
> > $ ./ui
> > pin_buf[UI_MAX_SECRET_STRING_LENGTH] = 1
> > Enter PIN:ab
> >
> > strlen(pin_buf) = 2
> > pin_buf = ab
> > pin_buf[UI_MAX_SECRET_STRING_LENGTH] = 0
> > $
> >
> > John
> >
>
>
> --
> Richard Levitte
> levitte at openssl.org
--
Richard Levitte
levitte at openssl.org
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=2622
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list