diff options
| author | Pauli <paul.dale@oracle.com> | 2017-07-07 10:17:59 +1000 |
|---|---|---|
| committer | Pauli <paul.dale@oracle.com> | 2017-07-07 13:37:06 +1000 |
| commit | 86ba26c80a49aee3c588d286d91eb3843529f7e2 (patch) | |
| tree | 36b8d1ee9730e7cd1cd95e976fd2d7b5816441f0 /crypto/mem_dbg.c | |
| parent | b4df712acad6514efc8753d9aa8b5fe3a721c811 (diff) | |
Address potential buffer overflows.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3878)
Diffstat (limited to 'crypto/mem_dbg.c')
| -rw-r--r-- | crypto/mem_dbg.c | 62 |
1 files changed, 45 insertions, 17 deletions
diff --git a/crypto/mem_dbg.c b/crypto/mem_dbg.c index 1ab52a86e8..70b5e62ab5 100644 --- a/crypto/mem_dbg.c +++ b/crypto/mem_dbg.c @@ -453,8 +453,9 @@ static void print_leak(const MEM *m, MEM_LEAK *l) { char buf[1024]; char *bufp = buf; + size_t len = sizeof(buf), ami_cnt; APP_INFO *amip; - int ami_cnt; + int n; struct tm *lcl = NULL; /* * Convert between CRYPTO_THREAD_ID (which could be anything at all) and @@ -468,21 +469,37 @@ static void print_leak(const MEM *m, MEM_LEAK *l) CRYPTO_THREAD_ID ti; lcl = localtime(&m->time); - sprintf(bufp, "[%02d:%02d:%02d] ", lcl->tm_hour, lcl->tm_min, lcl->tm_sec); - bufp += strlen(bufp); + n = BIO_snprintf(bufp, len, "[%02d:%02d:%02d] ", + lcl->tm_hour, lcl->tm_min, lcl->tm_sec); + if (n <= 0) { + bufp[0] = '\0'; + return; + } + bufp += n; + len -= n; - sprintf(bufp, "%5lu file=%s, line=%d, ", m->order, m->file, m->line); - bufp += strlen(bufp); + n = BIO_snprintf(bufp, len, "%5lu file=%s, line=%d, ", + m->order, m->file, m->line); + if (n <= 0) + return; + bufp += n; + len -= n; tid.ltid = 0; tid.tid = m->threadid; - sprintf(bufp, "thread=%lu, ", tid.ltid); - bufp += strlen(bufp); + n = BIO_snprintf(bufp, len, "thread=%lu, ", tid.ltid); + if (n <= 0) + return; + bufp += n; + len -= n; - sprintf(bufp, "number=%d, address=%p\n", m->num, m->addr); - bufp += strlen(bufp); + n = BIO_snprintf(bufp, len, "number=%d, address=%p\n", m->num, m->addr); + if (n <= 0) + return; + bufp += n; + len -= n; - l->print_cb(buf, strlen(buf), l->print_cb_arg); + l->print_cb(buf, (size_t)(bufp - buf), l->print_cb_arg); l->chunks++; l->bytes += m->num; @@ -498,23 +515,34 @@ static void print_leak(const MEM *m, MEM_LEAK *l) int info_len; ami_cnt++; + if (ami_cnt >= sizeof(buf) - 1) + break; memset(buf, '>', ami_cnt); + buf[ami_cnt] = '\0'; tid.ltid = 0; tid.tid = amip->threadid; - sprintf(buf + ami_cnt, " thread=%lu, file=%s, line=%d, info=\"", - tid.ltid, amip->file, amip->line); - buf_len = strlen(buf); + n = BIO_snprintf(buf + ami_cnt, sizeof(buf) - ami_cnt, + " thread=%lu, file=%s, line=%d, info=\"", + tid.ltid, amip->file, amip->line); + if (n <= 0) + break; + buf_len = ami_cnt + n; info_len = strlen(amip->info); if (128 - buf_len - 3 < info_len) { memcpy(buf + buf_len, amip->info, 128 - buf_len - 3); buf_len = 128 - 3; } else { - strcpy(buf + buf_len, amip->info); - buf_len = strlen(buf); + n = BIO_snprintf(buf + buf_len, sizeof(buf) - buf_len, "%s", + amip->info); + if (n < 0) + break; + buf_len += n; } - sprintf(buf + buf_len, "\"\n"); + n = BIO_snprintf(buf + buf_len, sizeof(buf) - buf_len, "\"\n"); + if (n <= 0) + break; - l->print_cb(buf, strlen(buf), l->print_cb_arg); + l->print_cb(buf, buf_len + n, l->print_cb_arg); amip = amip->next; } |