Commit 3dce1099 authored by Rich Salz's avatar Rich Salz
Browse files

Fix possible memory over-read in apps/s_client.c 



a buffer returned from BIO_gets is not checked for it's length before
reading its contents.

Reviewed-by: default avatarBen Kaduk <kaduk@mit.edu>
Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3630)
parent 1c036c64

apps/s_client.c

+9 −0
Original line number Diff line number Diff line
@@ -2172,6 +2172,15 @@ int s_client_main(int argc, char **argv) 
             * HTTP/d.d ddd Reason text\r\n

             */

            mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);

            if (mbuf_len < (int)strlen("HTTP/1.0 200")) {

                BIO_printf(bio_err,

                           "%s: HTTP CONNECT failed, insufficient response "

                           "from proxy (got %d octets)\n", prog, mbuf_len);

                (void)BIO_flush(fbio);

                BIO_pop(fbio);

                BIO_free(fbio);

                goto shut;

            }

            if (mbuf[8] != ' ') {

                BIO_printf(bio_err,

                           "%s: HTTP CONNECT failed, incorrect response "