diff options
| author | Nicola Tuveri <nicola.tuveri@ibm.com> | 2020-03-27 15:39:34 +0100 |
|---|---|---|
| committer | Nicola Tuveri <nic.tuv@gmail.com> | 2020-03-30 17:06:56 +0300 |
| commit | fd03868b34faaa711403d9ac0843d33811fbf961 (patch) | |
| tree | 452d213936b517f1bc0d8406a744b95fd1a56bb0 /ssl | |
| parent | 551543e5e2779fbb242cca40813f3bea4f6f43d0 (diff) | |
Fix off-by-1 bug on provider_activate with custom error strings
Starting `cnt` from 1 would work if we weren't using cnt itself to
access elements of the array returned calling the provider callback.
As it is before this commit, we have 2 problems:
- first, in the unlikely case that the incoming array was "empty" (only
contains the terminator item) we would skip past it and potentially
end up with oob reads;
- otherwise, at the end of the while loop, `cnt` will be equal to the
number of items in the input array, not 1 more. We then add 1 more to
the zalloc call to account for the library name item, and we fill all
of it (relying on zalloc to have zeroed the terminator item).
The first read access that will read the list up to the terminator
will result in a OOB read as we did not allocate enough space to also
contain the terminator.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11427)
Diffstat (limited to 'ssl')
0 files changed, 0 insertions, 0 deletions