The documentation for ERR_string_error says that the string buffer array
"must be at least 120 bytes long". See doc/crypto/ERR_error_string.pod and
doc/ssleay.txt.
However, ERR_string_error always passes a size of 256 ERR_string_error_n.
This bug has existed for as long as ERR_string_error has been calling
ERR_string_error_n.
Fortunately, as far as I can tell, ERR_string_error_n should never write a
string larger than 120 bytes. In fact, because system error strings are
truncated to a max of LEN_SYS_STR_REASON (32), the maximum possible length
is less than 100 bytes.
I could be wrong, or in the future error printing could change (e.g. with
localization patches), which would make this bug a serious issue.
Attached is a patch to crypto/err/err.c which fixes ERR_string_error to pass
120 when a buffer of unknown length is passed.
Presuming this bug is benign, then this patch shouldn't change behavior. If
it's not benign, then it definitely has to be changed to 120--changing the
documentation could leave code vulnerable.
- Bill
--- err.c.bak 2012-10-02 03:13:05.000000000 -0700
+++ err.c 2012-10-02 03:16:34.000000000 -0700
@@ -913,9 +913,15 @@
{
static char buf[256];
- if (ret == NULL) ret=buf;
- ERR_error_string_n(e, ret, 256);
-
+ if (ret == NULL)
+ {
+ ret=buf;
+ ERR_error_string_n(e, ret, 256);
+ }
+ else
+ {
+ ERR_error_string_n(e, ret, 120);
+ }
return ret;
}
