diff options
author | tb <> | 2018-08-14 17:51:36 +0000 |
---|---|---|
committer | tb <> | 2018-08-14 17:51:36 +0000 |
commit | bb1d97427df2d89362a9a4b4d02e7fa26ef0cdf8 (patch) | |
tree | 09d5abfb98feb767117683f1e4d667977cbf1f49 /src/lib/libcrypto/evp/p_open.c | |
parent | 6c03c79c878867ba3e9e82a10e2cb110bc526f56 (diff) | |
download | openbsd-bb1d97427df2d89362a9a4b4d02e7fa26ef0cdf8.tar.gz openbsd-bb1d97427df2d89362a9a4b4d02e7fa26ef0cdf8.tar.bz2 openbsd-bb1d97427df2d89362a9a4b4d02e7fa26ef0cdf8.zip |
The UI_add_{input,verify}_string() functions want a length not including
the terminating NUL. EVP_read_pw_string_min() got this wrong, leading to
a one-byte buffer overrun in all callers of EVP_read_pw_string().
Found by mestre running 'openssl passwd' with MALLOC_OPTIONS including C.
Fix this by doing some basic sanity checking in EVP_read_pw_string_min().
Cap the len argument at BUFSIZ and ensure that min < len as well as
0 <= min and 1 <= len. The last two checks are important as these
numbers may end up in reallocarray().
ok bcook (on previous version), jsing, mestre
Diffstat (limited to 'src/lib/libcrypto/evp/p_open.c')
0 files changed, 0 insertions, 0 deletions