[openssl-users] CVE-2016-2180

Matt Caswell matt at openssl.org
Fri Sep 16 09:04:19 UTC 2016

On 16/09/16 08:09, sivagopiraju wrote:
> And a small understanding.
> We are supplying buffer is about to 128 bytes to fill the converted message,
> So, if the obj(ASN1_OBJECT) size is more than that(supplied buffer) size
> OBJ_obj2txt will do truncate and will return the obj(ASN1_OBJECT) message
> length.  It results in more than 128(returned length) bytes. Because of this
> crash is happening.

Yes. If OBJ_obj2txt() would normally supply a string of length (say) 256
bytes, then it will truncate it (with a NUL terminator) into the
supplied 128 byte buffer. It will still return a value of 256 though.

Then when we call BIO_write() we tell it to write 256 bytes from the 128
byte buffer == Out-of-bounds read. This could mean a crash, or writing
arbitrary memory contents to the BIO.

By using BIO_printf() instead we only print the string up to the NUL
terminator which should always be within the 128 byte buffer.


More information about the openssl-users mailing list