On 12 September 2013 17:14, Arthur Mesh via RT <r...@openssl.org> wrote:
> I am not 100% sure this is a real bug, hence first tried mailing > openssl-users instead of rt@. But since there was no reply, I am sending > this to rt@ > > > 641 if (is_sslv3) > 642 { > <snip> > 647 unsigned overhang = > header_length-md_block_size; > 648 md_transform(md_state.c, header); > 649 memcpy(first_block, header + md_block_size, > overhang); > > My suspicion lies in line 649, where we're copying overhang number of bytes > from (header + md_block_size). I believe that copying from (header + > md_block_size) is out-of-bound access (overrun). > > header is an array of 13 unsigned chars, and md_block_size == 64 (or 128 > in some > cases). Hence (header + md_block_size) points outside of header[13]. > Assuming > overhang > 0, by doing a memcpy(), we have a problem, no? > Well, in fact, this code is only run when |is_sslv3|, and in that case, |header| is actually 75 bytes. So, the documentation is at fault. But I guess an interesting question is: can |md_block_size| be 128 when |is_sslv3|?