Ensure we handle len == 0 in ERR_err_string_n
If len == 0 in a call to ERR_error_string_n() then we can read beyond the end of the buffer. Really applications should not be calling this function with len == 0, but we shouldn't be letting it through either! Thanks to Agostino Sarubbo for reporting this issue. Agostino's blog on this issue is available here: https://blogs.gentoo.org/ago/2016/10/14/openssl-libcrypto-stack-based-buffer-overflow-in-err_error_string_n-err-c/ Reviewed-by: Richard Levitte <levitte@openssl.org>
This commit is contained in:
Matt Caswell
parent
3ff3ee7a19
commit
e5c1361580
1 changed files with 3 additions and 0 deletions
|
|
@ -500,6 +500,9 @@ void ERR_error_string_n(unsigned long e, char *buf, size_t len)
|
|||
const char *ls, *fs, *rs;
|
||||
unsigned long l, f, r;
|
||||
|
||||
if (len == 0)
|
||||
return;
|
||||
|
||||
l = ERR_GET_LIB(e);
|
||||
f = ERR_GET_FUNC(e);
|
||||
r = ERR_GET_REASON(e);
|
||||
|
|
|
|||
Loading…
Reference in a new issue