Skip to content
  1. Feb 27, 2016
  2. Feb 26, 2016
  3. Feb 25, 2016
    • Matt Caswell's avatar
      Fix memory issues in BIO_*printf functions · 9cb17730
      Matt Caswell authored
      
      
      The internal |fmtstr| function used in processing a "%s" format string
      in the BIO_*printf functions could overflow while calculating the length
      of a string and cause an OOB read when printing very long strings.
      
      Additionally the internal |doapr_outch| function can attempt to write to
      an OOB memory location (at an offset from the NULL pointer) in the event of
      a memory allocation failure. In 1.0.2 and below this could be caused where
      the size of a buffer to be allocated is greater than INT_MAX. E.g. this
      could be in processing a very long "%s" format string. Memory leaks can also
      occur.
      
      These issues will only occur on certain platforms where sizeof(size_t) >
      sizeof(int). E.g. many 64 bit systems. The first issue may mask the second
      issue dependent on compiler behaviour.
      
      These problems could enable attacks where large amounts of untrusted data
      is passed to the BIO_*printf functions. If applications use these functions
      in this way then they could be vulnerable. OpenSSL itself uses these
      functions when printing out human-readable dumps of ASN.1 data. Therefore
      applications that print this data could be vulnerable if the data is from
      untrusted sources. OpenSSL command line applications could also be
      vulnerable where they print out ASN.1 data, or if untrusted data is passed
      as command line arguments.
      
      Libssl is not considered directly vulnerable. Additionally certificates etc
      received via remote connections via libssl are also unlikely to be able to
      trigger these issues because of message size limits enforced within libssl.
      
      CVE-2016-0799
      
      Issue reported by Guido Vranken.
      
      Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
      9cb17730