[EMAIL PROTECTED] - Mon Jul 28 15:31:12 2003]:
> > Hello Dr. Henson,
> >
> > It seems, that OpenSSL overwrites allocated
> memory -
> > may be memory allocated for 32-Bit and used with 64-
> Bit?
>
> I've found the error. :-)
>
> The problem ist following:
> In file a_mbstr.c in function ASN1_mbstring_ncopy there are the
> following calls:
>
> /* Work out how much space the destination
> will need */
> switch(outform) {
>
> .......
>
> case
> MBSTRING_UTF8:
> outlen = 0;
> traverse_string(in, len, inform,
> out_utf8, &outlen);
> cpyfunc = cpy_utf8;
> break;
> }
>
> if(!(p
> = OPENSSL_malloc(outlen + 1))) {
> if(free_out)
> ASN1_STRING_free(dest);
> ASN1err(ASN1_F_ASN1_MBSTRING_COPY,ERR_R_MALLOC_FAILURE);
> return
> -1;
> }
>
> After traverse_string outlen is set to "0" and in the
> following malloc p becomes only 1 Byte. I iterated through
> traverse_string and found that outlen should be 32. I tested
> p=OPENSSL_malloc(32 + 1) and voila - no degmantation faults, no
> picket-fence error left.
>
> I suggest to change in
> ASN1_mbstring_ncopy the type of outlen from int to long (see also:
> out_utf8 in a_mbstr.c):
>
> - int outform, outlen;
> + int outform;
> + long outlen;
>
> That's it.
>
Many thanks for finding this. I think though that I'll change outlen
out_utf8 form long * to int *, because the ASN1_STRING length field
(which this gets ultimately set to) is also an int.
Let me know if that works OK.
Steve.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
