Fix a <= 5-byte buffer overwrite in print_bin()

If the offset is > 124, this function would overwrite between 1 and 5 bytes of stack space after str[128]. So for a quick fix extend the buffer by 5 bytes. Obviously this is the permanent fix chosen elswehere. The proper fix will be to rewrite this function from scratch. Reported in detail by Masaru Masuda, many thanks! Fixes https://github.com/libressl/openbsd/issues/145 begrudging ok from beck
author: tb <> 2023-11-21 16:31:31 +0000
committer: tb <> 2023-11-21 16:31:31 +0000
commit: 7c178f9af5dd84d292b8bda62f75d0c3ff7d5206 (patch)
tree: fe50c364dd33abd3e06e86ffb4e947a22fcc8fe0
parent: 3c386b86733a195034fd6941e0f073fbe4da9a72 (diff)
download: openbsd-7c178f9af5dd84d292b8bda62f75d0c3ff7d5206.tar.gz
openbsd-7c178f9af5dd84d292b8bda62f75d0c3ff7d5206.tar.bz2
openbsd-7c178f9af5dd84d292b8bda62f75d0c3ff7d5206.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/src/lib/libcrypto/ec/eck_prn.c b/src/lib/libcrypto/ec/eck_prn.c
index 6e89bfa739..45e0bc80e9 100644
--- a/src/lib/libcrypto/ec/eck_prn.c
+++ b/src/lib/libcrypto/ec/eck_prn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: eck_prn.c,v 1.28 2023/07/07 13:54:45 beck Exp $ */
+/* $OpenBSD: eck_prn.c,v 1.29 2023/11/21 16:31:31 tb Exp $ */
 /*
 * Written by Nils Larsch for the OpenSSL project.
 */
@@ -322,7 +322,8 @@ print_bin(BIO *fp, const char *name, const unsigned char *buf,
    size_t len, int off)
 {
        size_t i;
-        char str[128];
+        /* XXX - redo the function with asprintf/strlcat. */
+        char str[128 + 1 + 4];
        if (buf == NULL)
                return 1;
author	tb <>	2023-11-21 16:31:31 +0000
committer	tb <>	2023-11-21 16:31:31 +0000
commit	7c178f9af5dd84d292b8bda62f75d0c3ff7d5206 (patch)
tree	fe50c364dd33abd3e06e86ffb4e947a22fcc8fe0
parent	3c386b86733a195034fd6941e0f073fbe4da9a72 (diff)
download	openbsd-7c178f9af5dd84d292b8bda62f75d0c3ff7d5206.tar.gz openbsd-7c178f9af5dd84d292b8bda62f75d0c3ff7d5206.tar.bz2 openbsd-7c178f9af5dd84d292b8bda62f75d0c3ff7d5206.zip