diff options
author | Michael Baentsch <57787676+baentsch@users.noreply.github.com> | 2024-02-19 06:41:35 +0100 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2024-02-22 12:48:21 +0100 |
commit | f4ed6eed2c8fcb1852938683669218655fe4f894 (patch) | |
tree | 36d38c2936c37723d3c5b9a5bcadb49564661d47 /ssl | |
parent | db511578f7822ed6aa47760adfdc08ef84a17698 (diff) |
SSL_set1_groups_list(): Fix memory corruption with 40 groups and more
Fixes #23624
The calculation of the size for gid_arr reallocation was wrong.
A multiplication by gid_arr array item size was missing.
Testcase is added.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23625)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/t1_lib.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index de82d2b33a..ed40f1091b 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1049,7 +1049,8 @@ static int gid_cb(const char *elem, int len, void *arg) return 0; if (garg->gidcnt == garg->gidmax) { uint16_t *tmp = - OPENSSL_realloc(garg->gid_arr, garg->gidmax + GROUPLIST_INCREMENT); + OPENSSL_realloc(garg->gid_arr, + (garg->gidmax + GROUPLIST_INCREMENT) * sizeof(*garg->gid_arr)); if (tmp == NULL) return 0; garg->gidmax += GROUPLIST_INCREMENT; |