I'm not doubting the accuracy of the symptoms you have observed. However, I do not agree with your analysis, since 'len' contains the length of the contents 'from' points to, which remain unchanged. Still, the pointer 'from' itself is changed directly after the cleanup in your patch, and len should probably be changed accordingly. I'll look into that.
[EMAIL PROTECTED] - Tue Apr 27 23:43:03 2004]: > This is a bug report for versions 0.9.6l and 0.9.7c. > This bug report relates to request #573 > > str_copy() in crypto/conf/conf_def.c mishandles repeated variable > replacements. > > CAUTION: the bug might lead to memory corruption as BUF_MEM_clean() > does not check for negative sizes! > > Here is the analysis for the bug for a NetBSD bugreport (bin/24458) > pertaining to this problem: > > The problem seems to be that in > /usr/src/crypto/dist/openssl/crypto/conf/conf_def.c:631(0.9.6l) > in function str_copy() the size parameter is calculated > incorrectly across more than one replacement. > > size expression: strlen(p)+len-(e-from) > => length of replacement string + length > of original string - length of variable. > > Problems: > 1) len-(e-from) is only correct for a single > substituion. > > 2) after a substitution the code *forgets* the > effect of the string replacement. > > 3) after a substitution the code also *forgets* > to account for the shortening of the source string > by variable replacement. > > > Since BUF_MEM_grow_clean() is used the problem occurs when > the length of the variable names exceeds the length of the > variable value. In this case \0 is placed before the current > string end (denoted by variable to). In extreme cases this can > lead to overwriting memory *before* the allocated buffer. > > > A fix could be to account for the size changes by keeping > the len-variable at the correct value. > > Fix: > Index: crypto/dist/openssl/crypto/conf/conf_def.c > =================================================================== > RCS file: > /src/NetBSD/REPOSITORY/netbsd/crypto/dist/openssl/crypto/conf/conf_def. c,v > retrieving revision 1.1.1.4 > diff -c -r1.1.1.4 conf_def.c > *** crypto/dist/openssl/crypto/conf/conf_def.c 25 Jul 2003 21:49:56 > -0000 1.1.1.4 > --- crypto/dist/openssl/crypto/conf/conf_def.c 17 Feb 2004 23:26:19 -0000 > *************** > *** 628,634 **** > > CONFerr(CONF_F_STR_COPY,CONF_R_VARIABLE_HAS_NO_VALUE); > goto err; > } > ! BUF_MEM_grow_clean(buf,(strlen(p)+len-(e-from) )); > while (*p) > buf->data[to++]= *(p++); > from=e; > --- 628,637 ---- > > CONFerr(CONF_F_STR_COPY,CONF_R_VARIABLE_HAS_NO_VALUE); > goto err; > } > ! > ! len = strlen(p)+len-(e-from)+1; /* keep len up > with the current string length even across > multiple replacements */ > ! BUF_MEM_grow_clean(buf, len); > ! > while (*p) > buf->data[to++]= *(p++); > from=e; > -- Richard Levitte [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
