summaryrefslogtreecommitdiff
path: root/src/lib/libc/string/memcpy.c
diff options
context:
space:
mode:
authorschwarze <>2020-07-23 17:15:35 +0000
committerschwarze <>2020-07-23 17:15:35 +0000
commitbc9c51cf66fc92815074622c1c64a0e8bd9d5796 (patch)
treec8fd156c6634db94fcd09f8530f24d6fe60371b3 /src/lib/libc/string/memcpy.c
parentd4354bce356f56b21d16015ca9fb3aeed6bf2c42 (diff)
downloadopenbsd-bc9c51cf66fc92815074622c1c64a0e8bd9d5796.tar.gz
openbsd-bc9c51cf66fc92815074622c1c64a0e8bd9d5796.tar.bz2
openbsd-bc9c51cf66fc92815074622c1c64a0e8bd9d5796.zip
Fix a bug in PEM_X509_INFO_read_bio(3) that is very likely to cause
use-after-free and double-free issues in calling programs. The bug was introduced in SSLeay-0.6.0 released on June 21, 1996 and has been present since OpenBSD 2.4. I found the bug while documenting the function. The bug could bite in two ways that looked quite different from the perspective of the calling code: * If a stack was passed in that already contained some X509_INFO objects and an error occurred, all the objects passed in would be freed, but without removing the freed pointers from the stack, so the calling code would probable continue to access the freed pointers and eventually free them a second time. * If the input BIO contained at least two valid PEM objects followed by at least one PEM object causing an error, at least one freed pointer would be put onto the stack, even though the function would return NULL rather than the stack. But the calling code would still have a pointer to the stack, so it would be likely to access the new bogus pointers sooner or later. Fix all this by remembering the size of the input stack on entry and cutting it back to exactly that size when exiting due to an error, but no further. While here, do some related cleanup: * Garbage collect the automatic variables "error" and "i" which were only used at one single place each. * Use NULL rather than 0 for pointers. I like bugfixes that make the code four lines shorter, reduce the number of variables by one, reduce the number of brace-blocks by one, reduce the number if if-statements by one, and reduce the number of else-clauses by one. Tweaks and OK tb@.
Diffstat (limited to 'src/lib/libc/string/memcpy.c')
0 files changed, 0 insertions, 0 deletions