On 16/09/16 08:05, Matthias Apitz wrote:
> El día Thursday, September 15, 2016 a las 10:35:34PM -0700, sivagopiraju 
> escribió:
>> int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name);
>> OBJ_obj2txt() converts the ASN1_OBJECT a into a textual representation. The
>> representation is written as a null terminated string to buf at most buf_len
>> bytes are written, truncating the result if necessary.* The total amount of
>> space required is returned*. If no_name is 0 then if the object has a long
>> or short name then that will be used, otherwise the numerical form will be
>> used. If no_name is 1 then the numerical form will always be used.
>> Above statement statement saying that *amount of space required is
>> returned*.
> I saw this, but 'amount of space required' is IMHO vague, I'd expect
> 'the length of the resulting string is returned'

That is the heart of the problem. OBJ_obj2txt() does not return what you
might expect. The author of TS_OBJ_print_bio() expected it to return the
length of the resulting string (as you do). However OBJ_obj2txt() might
truncate what it would otherwise produce if the supplied buffer isn't
big enough - but it still returns the length of the untruncated string.

The implementation of TS_OBJ_print_bio() used BIO_write() to print the
string, using the untruncated string length. This is obviously wrong and
could cause an out-of-bounds read. By swapping to BIO_printf() this is
avoided because it only prints the string until it hits the NUL
terminator which should always be within the bounds of the supplied buffer.


openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to