[openssl-users] CVE-2016-2180
Matthias Apitz
guru at unixarea.de
Fri Sep 16 08:27:44 UTC 2016
El día Friday, September 16, 2016 a las 08:57:30AM +0100, Matt Caswell escribió:
> >> int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name);
> >>
> >> OBJ_obj2txt() converts the ASN1_OBJECT a into a textual representation. The
> >> representation is written as a null terminated string to buf at most buf_len
> >> bytes are written, truncating the result if necessary.* The total amount of
> >> space required is returned*. If no_name is 0 then if the object has a long
> >> or short name then that will be used, otherwise the numerical form will be
> >> used. If no_name is 1 then the numerical form will always be used.
> >>
> >> Above statement statement saying that *amount of space required is
> >> returned*.
> >
> > I saw this, but 'amount of space required' is IMHO vague, I'd expect
> > 'the length of the resulting string is returned'
>
> That is the heart of the problem. OBJ_obj2txt() does not return what you
> might expect. The author of TS_OBJ_print_bio() expected it to return the
> length of the resulting string (as you do). However OBJ_obj2txt() might
> truncate what it would otherwise produce if the supplied buffer isn't
> big enough - but it still returns the length of the untruncated string.
>
> ...
I would even suggest to change the wording in the man page to:
"... representation is written as a null terminated string to buf at most buf_len
bytes are written, INCLUDING THE NULL BYTE, truncating the result ..."
--
Matthias Apitz | /"\ ASCII Ribbon Campaign:
E-mail: guru at unixarea.de | \ / - No HTML/RTF in E-mail
WWW: http://www.unixarea.de/ | X - No proprietary attachments
phone: +49-176-38902045 | / \ - Respect for open standards
| en.wikipedia.org/wiki/ASCII_Ribbon_Campaign
More information about the openssl-users
mailing list