[GNUnet-SVN] [gnurl] 170/219: vtls: fix potential ssl

gnunet-svn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[GNUnet-SVN] [gnurl] 170/219: vtls: fix potential ssl_buffer stack overf

From:	gnunet
Subject:	[GNUnet-SVN] [gnurl] 170/219: vtls: fix potential ssl_buffer stack overflow
Date:	Wed, 22 May 2019 19:18:29 +0200

This is an automated email from the git hooks/post-receive script.

ng0 pushed a commit to branch master
in repository gnurl.

commit b4bb920405a6eb045f9e1fc3b5e05715bca2b0b4
Author: Daniel Gustafsson <address@hidden>
AuthorDate: Mon May 13 20:27:50 2019 +0200

    vtls: fix potential ssl_buffer stack overflow
    
    In Curl_multissl_version() it was possible to overflow the passed in
    buffer if the generated version string exceeded the size of the buffer.
    Fix by inverting the logic, and also make sure to not exceed the local
    buffer during the string generation.
    
    Closes #3863
    Reported-by: nevv on HackerOne/curl
    Reviewed-by: Jay Satiro
    Reviewed-by: Daniel Stenberg
---
 lib/vtls/vtls.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index 8a405c05c..25391443f 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -1239,16 +1239,17 @@ static size_t Curl_multissl_version(char *buffer, 
size_t size)
 
   if(current != selected) {
     char *p = backends;
+    char *end = backends + sizeof(backends);
     int i;
 
     selected = current;
 
-    for(i = 0; available_backends[i]; i++) {
+    for(i = 0; available_backends[i] && p < (end - 4); i++) {
       if(i)
         *(p++) = ' ';
       if(selected != available_backends[i])
         *(p++) = '(';
-      p += available_backends[i]->version(p, backends + sizeof(backends) - p);
+      p += available_backends[i]->version(p, end - p - 2);
       if(selected != available_backends[i])
         *(p++) = ')';
     }
@@ -1256,14 +1257,14 @@ static size_t Curl_multissl_version(char *buffer, 
size_t size)
     total = p - backends;
   }
 
-  if(size < total)
+  if(size > total)
     memcpy(buffer, backends, total + 1);
   else {
     memcpy(buffer, backends, size - 1);
     buffer[size - 1] = '\0';
   }
 
-  return total;
+  return CURLMIN(size - 1, total);
 }
 
 static int multissl_init(const struct Curl_ssl *backend)

-- 
To stop receiving notification emails like this one, please contact
address@hidden

[Prev in Thread]

Current Thread

[Next in Thread]

[GNUnet-SVN] [gnurl] 170/219: vtls: fix potential ssl_buffer stack overflow, gnunet <=

Prev by Date: [GNUnet-SVN] [gnurl] 157/219: docs/INSTALL: fix broken link [ci skip]
Next by Date: [GNUnet-SVN] [gnurl] 164/219: sasl: only enable if there's a protocol enabled using it
Previous by thread: [GNUnet-SVN] [gnurl] 157/219: docs/INSTALL: fix broken link [ci skip]
Next by thread: [GNUnet-SVN] [gnurl] 164/219: sasl: only enable if there's a protocol enabled using it
Index(es):
- Date
- Thread