diff options
author | Richard Levitte <levitte@openssl.org> | 2019-07-31 09:27:05 +0200 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2019-07-31 13:22:13 +0200 |
commit | 189dbdd99416a481d49a43bd7f4a8ab90bef1e85 (patch) | |
tree | 8a4534da80ff59a18de141d0e7c3314cfc491cd8 /crypto | |
parent | faa9dcd4d468441422254ab2d887bb267e0245b6 (diff) |
ERR: fix err_data_size inconsistencies
In ERR_add_error_vdata(), the size of err_data had 1 added to it in
some spots, which could lead to buffer overflow.
In ERR_vset_error(), ERR_MAX_DATA_SIZE was used instead of buf_size in
the BIO_vsnprintf() call, which would lead to a buffer overflow if
such a large buffer couldn't be allocated.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9491)
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/err/err.c | 6 | ||||
-rw-r--r-- | crypto/err/err_blocks.c | 2 |
2 files changed, 4 insertions, 4 deletions
diff --git a/crypto/err/err.c b/crypto/err/err.c index f129c1c7d6..24549e3a49 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -795,18 +795,18 @@ void ERR_add_error_vdata(int num, va_list args) if (arg == NULL) arg = "<NULL>"; len += strlen(arg); - if (len > size) { + if (len >= size) { char *p; size = len + 20; - p = OPENSSL_realloc(str, size + 1); + p = OPENSSL_realloc(str, size); if (p == NULL) { OPENSSL_free(str); return; } str = p; } - OPENSSL_strlcat(str, arg, (size_t)size + 1); + OPENSSL_strlcat(str, arg, (size_t)size); } if (!err_set_error_data_int(str, size, flags, 0)) OPENSSL_free(str); diff --git a/crypto/err/err_blocks.c b/crypto/err/err_blocks.c index 49086bd0c2..cf1bb9708a 100644 --- a/crypto/err/err_blocks.c +++ b/crypto/err/err_blocks.c @@ -85,7 +85,7 @@ void ERR_vset_error(int lib, int reason, const char *fmt, va_list args) } if (buf != NULL) { - printed_len = BIO_vsnprintf(buf, ERR_MAX_DATA_SIZE, fmt, args); + printed_len = BIO_vsnprintf(buf, buf_size, fmt, args); } if (printed_len < 0) printed_len = 0; |