diff options
author | Matt Caswell <matt@openssl.org> | 2016-05-05 11:10:26 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2016-06-01 14:22:40 +0100 |
commit | a004e72b95835136d3f1ea90517f706c24c03da7 (patch) | |
tree | 2c8c502f9c7748209fbb41ac48b952afe73f84a8 /CONTRIBUTING | |
parent | f792c663048f19347a1bb72125e535e4fb2ecf39 (diff) |
Avoid some undefined pointer arithmetic
A common idiom in the codebase is:
if (p + len > limit)
{
return; /* Too long */
}
Where "p" points to some malloc'd data of SIZE bytes and
limit == p + SIZE
"len" here could be from some externally supplied data (e.g. from a TLS
message).
The rules of C pointer arithmetic are such that "p + len" is only well
defined where len <= SIZE. Therefore the above idiom is actually
undefined behaviour.
For example this could cause problems if some malloc implementation
provides an address for "p" such that "p + len" actually overflows for
values of len that are too big and therefore p + len < limit!
Issue reported by Guido Vranken.
CVE-2016-2177
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'CONTRIBUTING')
0 files changed, 0 insertions, 0 deletions