openssl/crypto/err/err_blocks.c
Richard Levitte 189dbdd994 ERR: fix err_data_size inconsistencies
In ERR_add_error_vdata(), the size of err_data had 1 added to it in
some spots, which could lead to buffer overflow.

In ERR_vset_error(), ERR_MAX_DATA_SIZE was used instead of buf_size in
the BIO_vsnprintf() call, which would lead to a buffer overflow if
such a large buffer couldn't be allocated.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9491)
2019-07-31 13:22:13 +02:00

113 lines
2.9 KiB
C

/*
* Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <string.h>
#include <openssl/err.h>
#include "err_locl.h"
void ERR_new(void)
{
ERR_STATE *es;
es = ERR_get_state();
if (es == NULL)
return;
/* Allocate a slot */
err_get_slot(es);
err_clear(es, es->top, 0);
}
void ERR_set_debug(const char *file, int line, const char *func)
{
ERR_STATE *es;
es = ERR_get_state();
if (es == NULL)
return;
err_set_debug(es, es->top, file, line, func);
}
void ERR_set_error(int lib, int reason, const char *fmt, ...)
{
va_list args;
va_start(args, fmt);
ERR_vset_error(lib, reason, fmt, args);
va_end(args);
}
void ERR_vset_error(int lib, int reason, const char *fmt, va_list args)
{
ERR_STATE *es;
char *buf = NULL;
size_t buf_size = 0;
unsigned long flags = 0;
size_t i;
es = ERR_get_state();
if (es == NULL)
return;
i = es->top;
if (fmt != NULL) {
int printed_len = 0;
char *rbuf = NULL;
buf = es->err_data[i];
buf_size = es->err_data_size[i];
/*
* To protect the string we just grabbed from tampering by other
* functions we may call, or to protect them from freeing a pointer
* that may no longer be valid at that point, we clear away the
* data pointer and the flags. We will set them again at the end
* of this function.
*/
es->err_data[i] = NULL;
es->err_data_flags[i] = 0;
/*
* Try to maximize the space available. If that fails, we use what
* we have.
*/
if (buf_size < ERR_MAX_DATA_SIZE
&& (rbuf = OPENSSL_realloc(buf, ERR_MAX_DATA_SIZE)) != NULL) {
buf = rbuf;
buf_size = ERR_MAX_DATA_SIZE;
}
if (buf != NULL) {
printed_len = BIO_vsnprintf(buf, buf_size, fmt, args);
}
if (printed_len < 0)
printed_len = 0;
buf[printed_len] = '\0';
/*
* Try to reduce the size, but only if we maximized above. If that
* fails, we keep what we have.
* (According to documentation, realloc leaves the old buffer untouched
* if it fails)
*/
if ((rbuf = OPENSSL_realloc(buf, printed_len + 1)) != NULL) {
buf = rbuf;
buf_size = printed_len + 1;
}
if (buf != NULL)
flags = ERR_TXT_MALLOCED | ERR_TXT_STRING;
}
err_clear_data(es, es->top, 0);
err_set_error(es, es->top, lib, reason);
if (fmt != NULL)
err_set_data(es, es->top, buf, buf_size, flags);
}