Commit a1673e15 authored Mar 08, 2016 by Benjamin Kaduk Committed by Rich Salz Mar 09, 2016

Avoid negative array index in BIO_debug_callback()



BIO_snprintf() can return -1 on truncation (and overflow as of commit
9cb17730).  Though neither can
realistically occur while printing a pointer and short fixed string into
a buffer of length 256, the analysis to confirm that this the case goes
somewhat far up the call chain, and not all static analyzers can
successfully follow the chain of logic.

It's easy enough to clamp the returned length to be nonnegative before
continuing, which appeases the static analyzer and does not harm the
subsequent code.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

parent 80e8fdbe

crypto/bio/bio_cb.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -77,6 +77,9 @@ long BIO_debug_callback(BIO bio, int cmd, const char argp,

		len = BIO_snprintf(buf,sizeof buf,"BIO[%p]: ",(void *)bio);

		/* Ignore errors and continue printing the other information. */
		if (len < 0)
		len = 0;
		p = buf + len;
		p_maxlen = sizeof(buf) - len;

Admin message