diff options
| author | deraadt <> | 2014-04-19 16:18:22 +0000 |
|---|---|---|
| committer | deraadt <> | 2014-04-19 16:18:22 +0000 |
| commit | ee7155e3a946d7bc06a4f8b8f9b76eb7663c19c8 (patch) | |
| tree | 16b923c80684b191185b4d5d940ee49015d083ce /src | |
| parent | 1a1112f5049fdc82937efea1fea182f4b589bb91 (diff) | |
| download | openbsd-ee7155e3a946d7bc06a4f8b8f9b76eb7663c19c8.tar.gz openbsd-ee7155e3a946d7bc06a4f8b8f9b76eb7663c19c8.tar.bz2 openbsd-ee7155e3a946d7bc06a4f8b8f9b76eb7663c19c8.zip | |
truncation check some snprintf calls (over-cautiously in case)
ok jsing beck
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libssl/src/apps/apps.c | 10 | ||||
| -rw-r--r-- | src/lib/libssl/src/apps/enc.c | 7 | ||||
| -rw-r--r-- | src/lib/libssl/src/apps/req.c | 59 | ||||
| -rw-r--r-- | src/lib/libssl/src/apps/s_time.c | 21 |
4 files changed, 78 insertions, 19 deletions
diff --git a/src/lib/libssl/src/apps/apps.c b/src/lib/libssl/src/apps/apps.c index 0536aa6134..6413d5c437 100644 --- a/src/lib/libssl/src/apps/apps.c +++ b/src/lib/libssl/src/apps/apps.c | |||
| @@ -1436,7 +1436,7 @@ save_serial(char *serialfile, char *suffix, BIGNUM * serial, | |||
| 1436 | { | 1436 | { |
| 1437 | char buf[1][BSIZE]; | 1437 | char buf[1][BSIZE]; |
| 1438 | BIO *out = NULL; | 1438 | BIO *out = NULL; |
| 1439 | int ret = 0; | 1439 | int ret = 0, n; |
| 1440 | ASN1_INTEGER *ai = NULL; | 1440 | ASN1_INTEGER *ai = NULL; |
| 1441 | int j; | 1441 | int j; |
| 1442 | 1442 | ||
| @@ -1449,9 +1449,13 @@ save_serial(char *serialfile, char *suffix, BIGNUM * serial, | |||
| 1449 | goto err; | 1449 | goto err; |
| 1450 | } | 1450 | } |
| 1451 | if (suffix == NULL) | 1451 | if (suffix == NULL) |
| 1452 | strlcpy(buf[0], serialfile, BSIZE); | 1452 | n = strlcpy(buf[0], serialfile, BSIZE); |
| 1453 | else | 1453 | else |
| 1454 | snprintf(buf[0], sizeof buf[0], "%s.%s", serialfile, suffix); | 1454 | n = snprintf(buf[0], sizeof buf[0], "%s.%s", serialfile, suffix); |
| 1455 | if (n == -1 || n >= sizeof(buf[0])) { | ||
| 1456 | BIO_printf(bio_err, "serial too long\n"); | ||
| 1457 | goto err; | ||
| 1458 | } | ||
| 1455 | #ifdef RL_DEBUG | 1459 | #ifdef RL_DEBUG |
| 1456 | BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]); | 1460 | BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]); |
| 1457 | #endif | 1461 | #endif |
diff --git a/src/lib/libssl/src/apps/enc.c b/src/lib/libssl/src/apps/enc.c index c8f04106cc..5a0dca5cfe 100644 --- a/src/lib/libssl/src/apps/enc.c +++ b/src/lib/libssl/src/apps/enc.c | |||
| @@ -387,10 +387,15 @@ enc_main(int argc, char **argv) | |||
| 387 | if ((str == NULL) && (cipher != NULL) && (hkey == NULL)) { | 387 | if ((str == NULL) && (cipher != NULL) && (hkey == NULL)) { |
| 388 | for (;;) { | 388 | for (;;) { |
| 389 | char buf[200]; | 389 | char buf[200]; |
| 390 | int ret; | ||
| 390 | 391 | ||
| 391 | snprintf(buf, sizeof buf, "enter %s %s password:", | 392 | ret = snprintf(buf, sizeof buf, "enter %s %s password:", |
| 392 | OBJ_nid2ln(EVP_CIPHER_nid(cipher)), | 393 | OBJ_nid2ln(EVP_CIPHER_nid(cipher)), |
| 393 | (enc) ? "encryption" : "decryption"); | 394 | (enc) ? "encryption" : "decryption"); |
| 395 | if (ret == -1 || ret >= sizeof buf) { | ||
| 396 | BIO_printf(bio_err, "Password prompt too long\n"); | ||
| 397 | goto end; | ||
| 398 | } | ||
| 394 | strbuf[0] = '\0'; | 399 | strbuf[0] = '\0'; |
| 395 | i = EVP_read_pw_string((char *) strbuf, SIZE, buf, enc); | 400 | i = EVP_read_pw_string((char *) strbuf, SIZE, buf, enc); |
| 396 | if (i == 0) { | 401 | if (i == 0) { |
diff --git a/src/lib/libssl/src/apps/req.c b/src/lib/libssl/src/apps/req.c index 38428f856d..8fac59231f 100644 --- a/src/lib/libssl/src/apps/req.c +++ b/src/lib/libssl/src/apps/req.c | |||
| @@ -1074,24 +1074,40 @@ start: for (;;) { | |||
| 1074 | goto start; | 1074 | goto start; |
| 1075 | ret = snprintf(buf, sizeof buf, "%s_default", v->name); | 1075 | ret = snprintf(buf, sizeof buf, "%s_default", v->name); |
| 1076 | if (ret == -1 || ret >= sizeof(buf)) { | 1076 | if (ret == -1 || ret >= sizeof(buf)) { |
| 1077 | BIO_printf(bio_err, "Name '%s' too long\n", v->name); | 1077 | BIO_printf(bio_err, "Name '%s' too long for default\n", |
| 1078 | v->name); | ||
| 1078 | return 0; | 1079 | return 0; |
| 1079 | } | 1080 | } |
| 1080 | if ((def = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) { | 1081 | if ((def = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) { |
| 1081 | ERR_clear_error(); | 1082 | ERR_clear_error(); |
| 1082 | def = ""; | 1083 | def = ""; |
| 1083 | } | 1084 | } |
| 1084 | snprintf(buf, sizeof buf, "%s_value", v->name); | 1085 | ret = snprintf(buf, sizeof buf, "%s_value", v->name); |
| 1086 | if (ret == -1 || ret >= sizeof(buf)) { | ||
| 1087 | BIO_printf(bio_err, "Name '%s' too long for value\n", | ||
| 1088 | v->name); | ||
| 1089 | return 0; | ||
| 1090 | } | ||
| 1085 | if ((value = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) { | 1091 | if ((value = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) { |
| 1086 | ERR_clear_error(); | 1092 | ERR_clear_error(); |
| 1087 | value = NULL; | 1093 | value = NULL; |
| 1088 | } | 1094 | } |
| 1089 | snprintf(buf, sizeof buf, "%s_min", v->name); | 1095 | ret = snprintf(buf, sizeof buf, "%s_min", v->name); |
| 1096 | if (ret == -1 || ret >= sizeof(buf)) { | ||
| 1097 | BIO_printf(bio_err, "Name '%s' too long for min\n", | ||
| 1098 | v->name); | ||
| 1099 | return 0; | ||
| 1100 | } | ||
| 1090 | if (!NCONF_get_number(req_conf, dn_sect, buf, &n_min)) { | 1101 | if (!NCONF_get_number(req_conf, dn_sect, buf, &n_min)) { |
| 1091 | ERR_clear_error(); | 1102 | ERR_clear_error(); |
| 1092 | n_min = -1; | 1103 | n_min = -1; |
| 1093 | } | 1104 | } |
| 1094 | snprintf(buf, sizeof buf, "%s_max", v->name); | 1105 | ret = snprintf(buf, sizeof buf, "%s_max", v->name); |
| 1106 | if (ret == -1 || ret >= sizeof(buf)) { | ||
| 1107 | BIO_printf(bio_err, "Name '%s' too long for max\n", | ||
| 1108 | v->name); | ||
| 1109 | return 0; | ||
| 1110 | } | ||
| 1095 | if (!NCONF_get_number(req_conf, dn_sect, buf, &n_max)) { | 1111 | if (!NCONF_get_number(req_conf, dn_sect, buf, &n_max)) { |
| 1096 | ERR_clear_error(); | 1112 | ERR_clear_error(); |
| 1097 | n_max = -1; | 1113 | n_max = -1; |
| @@ -1105,12 +1121,15 @@ start: for (;;) { | |||
| 1105 | return 0; | 1121 | return 0; |
| 1106 | } | 1122 | } |
| 1107 | if (attribs) { | 1123 | if (attribs) { |
| 1108 | if ((attr_sk != NULL) && (sk_CONF_VALUE_num(attr_sk) > 0) && (!batch)) { | 1124 | if ((attr_sk != NULL) && (sk_CONF_VALUE_num(attr_sk) > 0) && |
| 1109 | BIO_printf(bio_err, "\nPlease enter the following 'extra' attributes\n"); | 1125 | (!batch)) { |
| 1110 | BIO_printf(bio_err, "to be sent with your certificate request\n"); | 1126 | BIO_printf(bio_err, |
| 1127 | "\nPlease enter the following 'extra' attributes\n"); | ||
| 1128 | BIO_printf(bio_err, | ||
| 1129 | "to be sent with your certificate request\n"); | ||
| 1111 | } | 1130 | } |
| 1112 | i = -1; | 1131 | i = -1; |
| 1113 | start2: for (;;) { | 1132 | start2: for (;;) { |
| 1114 | int ret; | 1133 | int ret; |
| 1115 | i++; | 1134 | i++; |
| 1116 | if ((attr_sk == NULL) || | 1135 | if ((attr_sk == NULL) || |
| @@ -1123,7 +1142,8 @@ start: for (;;) { | |||
| 1123 | goto start2; | 1142 | goto start2; |
| 1124 | ret = snprintf(buf, sizeof buf, "%s_default", type); | 1143 | ret = snprintf(buf, sizeof buf, "%s_default", type); |
| 1125 | if (ret == -1 || ret >= sizeof(buf)) { | 1144 | if (ret == -1 || ret >= sizeof(buf)) { |
| 1126 | BIO_printf(bio_err, "Name '%s' too long\n", v->name); | 1145 | BIO_printf(bio_err, "Name '%s' too long for default\n", |
| 1146 | v->name); | ||
| 1127 | return 0; | 1147 | return 0; |
| 1128 | } | 1148 | } |
| 1129 | if ((def = NCONF_get_string(req_conf, attr_sect, buf)) | 1149 | if ((def = NCONF_get_string(req_conf, attr_sect, buf)) |
| @@ -1131,18 +1151,33 @@ start: for (;;) { | |||
| 1131 | ERR_clear_error(); | 1151 | ERR_clear_error(); |
| 1132 | def = ""; | 1152 | def = ""; |
| 1133 | } | 1153 | } |
| 1134 | snprintf(buf, sizeof buf, "%s_value", type); | 1154 | ret = snprintf(buf, sizeof buf, "%s_value", type); |
| 1155 | if (ret == -1 || ret >= sizeof(buf)) { | ||
| 1156 | BIO_printf(bio_err, "Name '%s' too long for value\n", | ||
| 1157 | v->name); | ||
| 1158 | return 0; | ||
| 1159 | } | ||
| 1135 | if ((value = NCONF_get_string(req_conf, attr_sect, buf)) | 1160 | if ((value = NCONF_get_string(req_conf, attr_sect, buf)) |
| 1136 | == NULL) { | 1161 | == NULL) { |
| 1137 | ERR_clear_error(); | 1162 | ERR_clear_error(); |
| 1138 | value = NULL; | 1163 | value = NULL; |
| 1139 | } | 1164 | } |
| 1140 | snprintf(buf, sizeof buf, "%s_min", type); | 1165 | ret = snprintf(buf, sizeof buf, "%s_min", type); |
| 1166 | if (ret == -1 || ret >= sizeof(buf)) { | ||
| 1167 | BIO_printf(bio_err, "Name '%s' too long for min\n", | ||
| 1168 | v->name); | ||
| 1169 | return 0; | ||
| 1170 | } | ||
| 1141 | if (!NCONF_get_number(req_conf, attr_sect, buf, &n_min)) { | 1171 | if (!NCONF_get_number(req_conf, attr_sect, buf, &n_min)) { |
| 1142 | ERR_clear_error(); | 1172 | ERR_clear_error(); |
| 1143 | n_min = -1; | 1173 | n_min = -1; |
| 1144 | } | 1174 | } |
| 1145 | snprintf(buf, sizeof buf, "%s_max", type); | 1175 | ret = snprintf(buf, sizeof buf, "%s_max", type); |
| 1176 | if (ret == -1 || ret >= sizeof(buf)) { | ||
| 1177 | BIO_printf(bio_err, "Name '%s' too long for max\n", | ||
| 1178 | v->name); | ||
| 1179 | return 0; | ||
| 1180 | } | ||
| 1146 | if (!NCONF_get_number(req_conf, attr_sect, buf, &n_max)) { | 1181 | if (!NCONF_get_number(req_conf, attr_sect, buf, &n_max)) { |
| 1147 | ERR_clear_error(); | 1182 | ERR_clear_error(); |
| 1148 | n_max = -1; | 1183 | n_max = -1; |
diff --git a/src/lib/libssl/src/apps/s_time.c b/src/lib/libssl/src/apps/s_time.c index e7fc7e2e07..169a9d7839 100644 --- a/src/lib/libssl/src/apps/s_time.c +++ b/src/lib/libssl/src/apps/s_time.c | |||
| @@ -398,7 +398,12 @@ s_time_main(int argc, char **argv) | |||
| 398 | goto end; | 398 | goto end; |
| 399 | 399 | ||
| 400 | if (s_www_path != NULL) { | 400 | if (s_www_path != NULL) { |
| 401 | snprintf(buf, sizeof buf, "GET %s HTTP/1.0\r\n\r\n", s_www_path); | 401 | int ret = snprintf(buf, sizeof buf, |
| 402 | "GET %s HTTP/1.0\r\n\r\n", s_www_path); | ||
| 403 | if (ret == -1 || ret >= sizeof buf) { | ||
| 404 | fprintf(stderr, "URL too long\n"); | ||
| 405 | goto end; | ||
| 406 | } | ||
| 402 | SSL_write(scon, buf, strlen(buf)); | 407 | SSL_write(scon, buf, strlen(buf)); |
| 403 | while ((i = SSL_read(scon, buf, sizeof(buf))) > 0) | 408 | while ((i = SSL_read(scon, buf, sizeof(buf))) > 0) |
| 404 | bytes_read += i; | 409 | bytes_read += i; |
| @@ -453,7 +458,12 @@ next: | |||
| 453 | goto end; | 458 | goto end; |
| 454 | } | 459 | } |
| 455 | if (s_www_path != NULL) { | 460 | if (s_www_path != NULL) { |
| 456 | snprintf(buf, sizeof buf, "GET %s HTTP/1.0\r\n\r\n", s_www_path); | 461 | int ret = snprintf(buf, sizeof buf, |
| 462 | "GET %s HTTP/1.0\r\n\r\n", s_www_path); | ||
| 463 | if (ret == -1 || ret >= sizeof buf) { | ||
| 464 | fprintf(stderr, "URL too long\n"); | ||
| 465 | goto end; | ||
| 466 | } | ||
| 457 | SSL_write(scon, buf, strlen(buf)); | 467 | SSL_write(scon, buf, strlen(buf)); |
| 458 | while (SSL_read(scon, buf, sizeof(buf)) > 0); | 468 | while (SSL_read(scon, buf, sizeof(buf)) > 0); |
| 459 | } | 469 | } |
| @@ -490,7 +500,12 @@ next: | |||
| 490 | goto end; | 500 | goto end; |
| 491 | 501 | ||
| 492 | if (s_www_path) { | 502 | if (s_www_path) { |
| 493 | snprintf(buf, sizeof buf, "GET %s HTTP/1.0\r\n\r\n", s_www_path); | 503 | int ret = snprintf(buf, sizeof buf, |
| 504 | "GET %s HTTP/1.0\r\n\r\n", s_www_path); | ||
| 505 | if (ret == -1 || ret >= sizeof buf) { | ||
| 506 | fprintf(stderr, "URL too long\n"); | ||
| 507 | goto end; | ||
| 508 | } | ||
| 494 | SSL_write(scon, buf, strlen(buf)); | 509 | SSL_write(scon, buf, strlen(buf)); |
| 495 | while ((i = SSL_read(scon, buf, sizeof(buf))) > 0) | 510 | while ((i = SSL_read(scon, buf, sizeof(buf))) > 0) |
| 496 | bytes_read += i; | 511 | bytes_read += i; |