From da033d4cac01dc89c3553eb4783f806ef3d12634 Mon Sep 17 00:00:00 2001 From: tb Date: Tue, 21 Nov 2023 16:31:31 +0000 Subject: [PATCH] Fix a <= 5-byte buffer overwrite in print_bin() If the offset is > 124, this function would overwrite between 1 and 5 bytes of stack space after str[128]. So for a quick fix extend the buffer by 5 bytes. Obviously this is the permanent fix chosen elswehere. The proper fix will be to rewrite this function from scratch. Reported in detail by Masaru Masuda, many thanks! Fixes https://github.com/libressl/openbsd/issues/145 begrudging ok from beck --- lib/libcrypto/ec/eck_prn.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/libcrypto/ec/eck_prn.c b/lib/libcrypto/ec/eck_prn.c index 6e89bfa739a..45e0bc80e94 100644 --- a/lib/libcrypto/ec/eck_prn.c +++ b/lib/libcrypto/ec/eck_prn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: eck_prn.c,v 1.28 2023/07/07 13:54:45 beck Exp $ */ +/* $OpenBSD: eck_prn.c,v 1.29 2023/11/21 16:31:31 tb Exp $ */ /* * Written by Nils Larsch for the OpenSSL project. */ @@ -322,7 +322,8 @@ print_bin(BIO *fp, const char *name, const unsigned char *buf, size_t len, int off) { size_t i; - char str[128]; + /* XXX - redo the function with asprintf/strlcat. */ + char str[128 + 1 + 4]; if (buf == NULL) return 1; -- 2.20.1