Fixing old ticket. https://github.com/openssl/openssl/pull/1077
On Fri Oct 14 18:14:51 2011, ramsd...@mitre.org wrote: > TrouSerS is an open-source TCG Software Stack by IBM. It uses OpenSSL > to read passwords. The code in ssl_ui.c of the trousers library has a > buffer overflow. I suspect many other applications may have the same > problem because the documentation is not clear about how > UI_add_input_string handles terminating null bytes. Here is the nub > of the issue. > > People declare the buffer used by UI_add_input_string as: > > char pin_buf[UI_MAX_SECRET_STRING_LENGTH]; > > and then call UI_add_input_string as: > > if (!UI_add_input_string(ui, "Enter PIN:", 0, pin_buf, > 1, UI_MAX_SECRET_STRING_LENGTH)) > > The documentation should tell them to use > > char pin_buf[UI_MAX_SECRET_STRING_LENGTH + 1]; > > because there is a buffer overflow as demonstrated by the enclosed C > program. > > $ make LDLIBS=-lcrypto ui > cc ui.c -lcrypto -o ui > $ ./ui > pin_buf[UI_MAX_SECRET_STRING_LENGTH] = 1 > Enter PIN:ab > > strlen(pin_buf) = 2 > pin_buf = ab > pin_buf[UI_MAX_SECRET_STRING_LENGTH] = 0 > $ > > John > -- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=2622 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev