Message ID | 1548154968-13019-1-git-send-email-lstipakov@gmail.com |
---|---|
State | Superseded |
Headers | show |
Series | [Openvpn-devel,1/2] crypto_openssl.c: fix heap-buffer-overflow found by AddressSanitizer | expand |
Am 22.01.19 um 12:02 schrieb Lev Stipakov: > From: Lev Stipakov <lev@openvpn.net> > > OpenSSL's version of crypto_pem_encode() uses PEM_write_bio() > function to write PEM-encoded data to BIO object. That method doesn't > add NUL termanator, unlike its mbedTLS counterpart mbedtls_pem_write_buffer(). > > The code which uses PEM data treats it as a string, so missing NUL > terminator makes sanitizer to compain. > > Fix by adding a NUL terminator. > > Signed-off-by: Lev Stipakov <lev@openvpn.net> > --- > src/openvpn/crypto_openssl.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c > index 9691ce0..6a49067 100644 > --- a/src/openvpn/crypto_openssl.c > +++ b/src/openvpn/crypto_openssl.c > @@ -400,8 +400,9 @@ crypto_pem_encode(const char *name, struct buffer *dst, > BUF_MEM *bptr; > BIO_get_mem_ptr(bio, &bptr); > > - *dst = alloc_buf_gc(bptr->length, gc); > + *dst = alloc_buf_gc(bptr->length + 1, gc); > ASSERT(buf_write(dst, bptr->data, bptr->length)); > + *BEND(dst) = '\0'; buf_null_terminate(dst) is a better function here :) Otherwise ACK, fixes the problem. Arne
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 9691ce0..6a49067 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -400,8 +400,9 @@ crypto_pem_encode(const char *name, struct buffer *dst, BUF_MEM *bptr; BIO_get_mem_ptr(bio, &bptr); - *dst = alloc_buf_gc(bptr->length, gc); + *dst = alloc_buf_gc(bptr->length + 1, gc); ASSERT(buf_write(dst, bptr->data, bptr->length)); + *BEND(dst) = '\0'; ret = true; cleanup: