Fix a <= 5-byte buffer overwrite in print_bin()

If the offset is > 124, this function would overwrite between 1 and 5 bytes
of stack space after str[128]. So for a quick fix extend the buffer by 5
bytes. Obviously this is the permanent fix chosen elswehere. The proper fix
will be to rewrite this function from scratch.

Reported in detail by Masaru Masuda, many thanks!
Fixes https://github.com/libressl/openbsd/issues/145

begrudging ok from beck

diff --git a/lib/libcrypto/ec/eck_prn.c b/lib/libcrypto/ec/eck_prn.c
index 6e89bfa..45e0bc8 100644 (file)
--- a/lib/libcrypto/ec/eck_prn.c
+++ b/lib/libcrypto/ec/eck_prn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: eck_prn.c,v 1.28 2023/07/07 13:54:45 beck Exp $ */
+/* $OpenBSD: eck_prn.c,v 1.29 2023/11/21 16:31:31 tb Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -322,7 +322,8 @@ print_bin(BIO *fp, const char *name, const unsigned char *buf,
     size_t len, int off)
 {
        size_t i;
-       char str[128];
+       /* XXX - redo the function with asprintf/strlcat. */
+       char str[128 + 1 + 4];
 
        if (buf == NULL)
                return 1;