Add some sanity checks for BIO_read* and BIO_gets

Make sure the return value isn't bigger than the buffer len Reviewed-by: Richard Levitte <levitte@openssl.org>
author: Matt Caswell <matt@openssl.org> 2016-10-21 15:21:55 +0100
committer: Matt Caswell <matt@openssl.org> 2016-10-28 09:48:54 +0100
commit: fbba62f6c9671b151df648f06afdf6af14518ab4 (patch)
tree: 306ae4259835d52da837c326788f6f2720ec950e /crypto/bio/bio_lib.c
parent: 42c6046064d2ee45d59baec53bedde4ea434294f (diff)
1 files changed, 11 insertions, 1 deletions
diff --git a/crypto/bio/bio_lib.c b/crypto/bio/bio_lib.c
index 1a9b9137ba..b8673adce0 100644
--- a/crypto/bio/bio_lib.c
+++ b/crypto/bio/bio_lib.c
@@ -278,6 +278,10 @@ static int bio_read_intern(BIO *b, void *data, size_t datal, size_t *read)
         ret = (int)bio_call_callback(b, BIO_CB_READ | BIO_CB_RETURN, data,
                                      datal, 0, 0L, ret, read);
 
+    /* Shouldn't happen */
+    if (ret > 0 && *read > datal)
+        return -1;
+
     return ret;
 }
 
@@ -433,6 +437,11 @@ int BIO_gets(BIO *b, char *out, int outl)
         return (-2);
     }
 
+    if (outl < 0) {
+        BIOerr(BIO_F_BIO_GETS, BIO_R_INVALID_ARGUMENT);
+        return 0;
+    }
+
     if (b->callback != NULL || b->callback_ex != NULL) {
         ret = (int)bio_call_callback(b, BIO_CB_GETS, out, outl, 0, 0L, 1, NULL);
         if (ret <= 0)
@@ -456,7 +465,8 @@ int BIO_gets(BIO *b, char *out, int outl)
                                      0, 0L, ret, &read);
 
     if (ret > 0) {
-        if (read > INT_MAX)
+        /* Shouldn't happen */
+        if (read > (size_t)outl)
             ret = -1;
         else
             ret = (int)read;
author	Matt Caswell <matt@openssl.org>	2016-10-21 15:21:55 +0100
committer	Matt Caswell <matt@openssl.org>	2016-10-28 09:48:54 +0100
commit	fbba62f6c9671b151df648f06afdf6af14518ab4 (patch)
tree	306ae4259835d52da837c326788f6f2720ec950e /crypto/bio/bio_lib.c
parent	42c6046064d2ee45d59baec53bedde4ea434294f (diff)