From: tb <tb@openbsd.org>
Date: Tue, 21 Nov 2023 16:31:31 +0000 (+0000)
Subject: Fix a <= 5-byte buffer overwrite in print_bin()
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=da033d4cac01dc89c3553eb4783f806ef3d12634;p=openbsd

Fix a <= 5-byte buffer overwrite in print_bin()

If the offset is > 124, this function would overwrite between 1 and 5 bytes
of stack space after str[128]. So for a quick fix extend the buffer by 5
bytes. Obviously this is the permanent fix chosen elswehere. The proper fix
will be to rewrite this function from scratch.

Reported in detail by Masaru Masuda, many thanks!
Fixes https://github.com/libressl/openbsd/issues/145

begrudging ok from beck
---

diff --git a/lib/libcrypto/ec/eck_prn.c b/lib/libcrypto/ec/eck_prn.c
index 6e89bfa739a..45e0bc80e94 100644
--- a/lib/libcrypto/ec/eck_prn.c
+++ b/lib/libcrypto/ec/eck_prn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: eck_prn.c,v 1.28 2023/07/07 13:54:45 beck Exp $ */
+/* $OpenBSD: eck_prn.c,v 1.29 2023/11/21 16:31:31 tb Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -322,7 +322,8 @@ print_bin(BIO *fp, const char *name, const unsigned char *buf,
     size_t len, int off)
 {
 	size_t i;
-	char str[128];
+	/* XXX - redo the function with asprintf/strlcat. */
+	char str[128 + 1 + 4];
 
 	if (buf == NULL)
 		return 1;