[FILE]
<root>/crypto/bio/b_sock.c, line 283ff
j=strlen(a->h_name)+1;
if ((ret->h_name=Malloc(j)) == NULL) goto err;
memcpy((char *)ret->h_name, a->h_name , j+1);
[BUG]
memory overrun (one byte at the end of ret->h_name)
allocating "j" bytes but memcpy "j+1" bytes next line
Serious problem. Program can crash.
[FIX]
dont add one byte, the terminating "0" is included!
memcpy((char *)ret->h_name, a->h_name , j);
--next bug --next bug --next bug
[FILE]
<root>/crypto/bio/b_sock.c, line 288ff
j=strlen(a->h_aliases[i])+1;
if ((ret->h_aliases[i]=Malloc(j)) == NULL) goto err;
memcpy(ret->h_aliases[i],a->h_aliases[i] , j+1);
[BUG]
memory overrun (one byte at the end of ret->h_aliases[i])
allocating "j" bytes but memcpy "j+1" bytes next line
Serious problem. Program can crash.
[FIX]
dont add one byte, the terminating "0" is included!
memcpy(ret->h_aliases[i] , a->h_aliases[i] , j);
Best regards,
Ralf
============================================
Ralf Kunoth
Application Development
fun communications GmbH
Brauerstrasse 6, D-76135 Karlsruhe, Germany
fon: +49 721 96448-0, fax: +49 721 96448-22
http://www.fun.de, mailto:[EMAIL PROTECTED]
I trust in http://www.keytrust.de
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
