[openssl-users] net_ratelimit: 3480 callbacks suppressed
Hi, As i know machine allowed 10 messages in 5 seconds as configured in the /proc/sys/kernel/printk_ratelimit and /proc/sys/kernel/printk_ratelimit_burst files. But my question is why this logging crosses 10 messages in 5 seconds and in which case it will happen. And why normally kernel will have default value to 10 messages in 5 seconds. And what is the main advantage of this scenario. Thanks, Gopi. -- View this message in context: http://openssl.6102.n7.nabble.com/net-ratelimit-3480-callbacks-suppressed-tp69046.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CVE-2016-2180
Thanks for the answers, I am going to change BIO_write to BIO_printf in my product for openssl. And finally one question, NULL terminator is surely within the 128 bytes of buffer? regards, Gopi. -- View this message in context: http://openssl.6102.n7.nabble.com/CVE-2016-2180-tp67815p68395.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CVE-2016-2180
And a small understanding. We are supplying buffer is about to 128 bytes to fill the converted message, So, if the obj(ASN1_OBJECT) size is more than that(supplied buffer) size OBJ_obj2txt will do truncate and will return the obj(ASN1_OBJECT) message length. It results in more than 128(returned length) bytes. Because of this crash is happening. (or) In which scenario the OBJ_obj2txt() truncates the supplied message. -- View this message in context: http://openssl.6102.n7.nabble.com/CVE-2016-2180-tp67815p68392.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CVE-2016-2180
int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name); OBJ_obj2txt() converts the ASN1_OBJECT a into a textual representation. The representation is written as a null terminated string to buf at most buf_len bytes are written, truncating the result if necessary.* The total amount of space required is returned*. If no_name is 0 then if the object has a long or short name then that will be used, otherwise the numerical form will be used. If no_name is 1 then the numerical form will always be used. Above statement statement saying that *amount of space required is returned*. Matthias Apitz-4 wrote > El día Thursday, September 15, 2016 a las 09:00:07PM -0700, sivagopiraju > escribió: > >> - int len = OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0); >> -BIO_write(bio, obj_txt, len); >> -BIO_write(bio, "\n", 1); >> +OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0); >> +BIO_printf(bio, "%s\n", obj_txt); >> >> Here, used BIO_printf instead of BIO_write, is it solve the issue? >> >> Can you please elaborate it, did't understand the solution. > > The man page for OBJ_obj2txt() says what the function is doing and what > the parms are used for or must be, but does not specify what its return > value is, only that it is 'int'. Maybe it does not return the length of > the resulting string. > > matthias > -- > Matthias Apitz, ✉ > guru@ > , ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 > "Ohne die Mauer hätte es Krieg gegeben" Fritz Streletz u.a. > "Sin el Muro hubiese habido guerra." > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users *Maybe it does not return the length of the resulting string. * It mean return value causing the issue. -- View this message in context: http://openssl.6102.n7.nabble.com/CVE-2016-2180-tp67815p68387.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CVE-2016-2180
- int len = OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0); -BIO_write(bio, obj_txt, len); -BIO_write(bio, "\n", 1); +OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0); +BIO_printf(bio, "%s\n", obj_txt); Here, used BIO_printf instead of BIO_write, is it solve the issue? Can you please elaborate it, did't understand the solution. -- View this message in context: http://openssl.6102.n7.nabble.com/CVE-2016-2180-tp67815p68384.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CVE-2016-2180
I can't upgrade at this stage for my product, So can you give me the fix if you have. -- View this message in context: http://openssl.6102.n7.nabble.com/CVE-2016-2180-tp67815p68371.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] CVE-2016-2180
I am using openssl-1.0.0e in my product. Here i want to know that OpenSSL is CVE-2016-2180 vulnerable or not. https://github.com/openssl/openssl/commit/0ed26acce328ec16a3aa635f1ca37365e8c7403a?diff=unified In this page showing some information about CVE-2016-2180 vulnerability. Actually i read some information from the internet that, to reproduce this vulnerability need to "*create specially crafted time stamp file and used with the "openssl ts"*" command. How to create "specially crafted time stamp file". In the CVE-2016-2180 vulnerability talk about TS_OBJ_print_bio function creating the crash. This function is present in the openssl i have. Is there any patch available for this vulnerability. -- View this message in context: http://openssl.6102.n7.nabble.com/CVE-2016-2180-tp68032.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users