details: http://hg.nginx.org/nginx/rev/8081e1f3ab8b branches: changeset: 6775:8081e1f3ab8b user: Valentin Bartenev <vb...@nginx.com> date: Tue Oct 18 20:46:06 2016 +0300 description: SSL: overcame possible buffer over-read in ngx_ssl_error().
It appeared that ERR_error_string_n() cannot handle zero buffer size well enough and causes over-read. The problem has also been fixed in OpenSSL: https://git.openssl.org/?p=openssl.git;h=e5c1361580d8de79682958b04a5f0d262e680f8b diffstat: src/event/ngx_event_openssl.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diffs (14 lines): diff -r bcb107bb89cd -r 8081e1f3ab8b src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c Sat Oct 08 18:05:00 2016 +1100 +++ b/src/event/ngx_event_openssl.c Tue Oct 18 20:46:06 2016 +0300 @@ -2137,7 +2137,9 @@ ngx_ssl_error(ngx_uint_t level, ngx_log_ break; } - if (p >= last) { + /* ERR_error_string_n() requires at least one byte */ + + if (p >= last - 1) { goto next; } _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
