[openssl-users] CVE-2016-2180
Matt Caswell
matt at openssl.org
Fri Sep 16 09:04:19 UTC 2016
On 16/09/16 08:09, sivagopiraju wrote:
> And a small understanding.
>
> We are supplying buffer is about to 128 bytes to fill the converted message,
> So, if the obj(ASN1_OBJECT) size is more than that(supplied buffer) size
> OBJ_obj2txt will do truncate and will return the obj(ASN1_OBJECT) message
> length. It results in more than 128(returned length) bytes. Because of this
> crash is happening.
Yes. If OBJ_obj2txt() would normally supply a string of length (say) 256
bytes, then it will truncate it (with a NUL terminator) into the
supplied 128 byte buffer. It will still return a value of 256 though.
Then when we call BIO_write() we tell it to write 256 bytes from the 128
byte buffer == Out-of-bounds read. This could mean a crash, or writing
arbitrary memory contents to the BIO.
By using BIO_printf() instead we only print the string up to the NUL
terminator which should always be within the 128 byte buffer.
Matt
More information about the openssl-users
mailing list