Commit e5c13615 authored Oct 12, 2016 by Matt Caswell

Ensure we handle len == 0 in ERR_err_string_n

If len == 0 in a call to ERR_error_string_n() then we can read beyond the
end of the buffer. Really applications should not be calling this function
with len == 0, but we shouldn't be letting it through either!

Thanks to Agostino Sarubbo for reporting this issue. Agostino's blog on
this issue is available here:
https://blogs.gentoo.org/ago/2016/10/14/openssl-libcrypto-stack-based-buffer-overflow-in-err_error_string_n-err-c/

Reviewed-by: Richard Levitte <levitte@openssl.org>

parent 3ff3ee7a

crypto/err/err.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -500,6 +500,9 @@ void ERR_error_string_n(unsigned long e, char *buf, size_t len)
		const char ls, fs, *rs;
		unsigned long l, f, r;

		if (len == 0)
		return;

		l = ERR_GET_LIB(e);
		f = ERR_GET_FUNC(e);
		r = ERR_GET_REASON(e);