openssl/crypto/bio
Matt Caswell 9cb177301f Fix memory issues in BIO_*printf functions
The internal |fmtstr| function used in processing a "%s" format string
in the BIO_*printf functions could overflow while calculating the length
of a string and cause an OOB read when printing very long strings.

Additionally the internal |doapr_outch| function can attempt to write to
an OOB memory location (at an offset from the NULL pointer) in the event of
a memory allocation failure. In 1.0.2 and below this could be caused where
the size of a buffer to be allocated is greater than INT_MAX. E.g. this
could be in processing a very long "%s" format string. Memory leaks can also
occur.

These issues will only occur on certain platforms where sizeof(size_t) >
sizeof(int). E.g. many 64 bit systems. The first issue may mask the second
issue dependent on compiler behaviour.

These problems could enable attacks where large amounts of untrusted data
is passed to the BIO_*printf functions. If applications use these functions
in this way then they could be vulnerable. OpenSSL itself uses these
functions when printing out human-readable dumps of ASN.1 data. Therefore
applications that print this data could be vulnerable if the data is from
untrusted sources. OpenSSL command line applications could also be
vulnerable where they print out ASN.1 data, or if untrusted data is passed
as command line arguments.

Libssl is not considered directly vulnerable. Additionally certificates etc
received via remote connections via libssl are also unlikely to be able to
trigger these issues because of message size limits enforced within libssl.

CVE-2016-0799

Issue reported by Guido Vranken.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-02-25 22:45:58 +00:00
..
b_addr.c getaddrinfo: zero the hints structure 2016-02-19 16:44:28 +01:00
b_dump.c Refactoring BIO: Small adjustments 2016-02-03 19:37:07 +01:00
b_print.c Fix memory issues in BIO_*printf functions 2016-02-25 22:45:58 +00:00
b_sock2.c Make the BIO_ADDR param optional. 2016-02-14 17:36:10 -05:00
b_sock.c Make the BIO_ADDR param optional. 2016-02-14 17:36:10 -05:00
bf_buff.c Remove /* foo.c */ comments 2016-01-26 16:40:43 -05:00
bf_lbuf.c Remove /* foo.c */ comments 2016-01-26 16:40:43 -05:00
bf_nbio.c Remove /* foo.c */ comments 2016-01-26 16:40:43 -05:00
bf_null.c Remove /* foo.c */ comments 2016-01-26 16:40:43 -05:00
bio_cb.c Remove /* foo.c */ comments 2016-01-26 16:40:43 -05:00
bio_err.c Move to REF_DEBUG, for consistency. 2016-02-11 12:40:32 -05:00
bio_lcl.h On solaris, the variable name sun clashes, use s_un instead 2016-02-16 17:16:32 +01:00
bio_lib.c Move to REF_DEBUG, for consistency. 2016-02-11 12:40:32 -05:00
bss_acpt.c Refactoring BIO: adapt BIO_s_connect and BIO_s_accept 2016-02-03 19:40:32 +01:00
bss_bio.c Defines OSSL_SSIZE_MAX 2016-02-13 10:22:54 +00:00
bss_conn.c GH678: Add a few more zalloc 2016-02-22 12:13:37 -05:00
bss_dgram.c GH480: Don't break statements with CPP stuff. 2016-02-24 16:11:39 -05:00
bss_fd.c Refactoring BIO: Small adjustments 2016-02-03 19:37:07 +01:00
bss_file.c GH601: Various spelling fixes. 2016-02-05 15:25:50 -05:00
bss_log.c Remove /* foo.c */ comments 2016-01-26 16:40:43 -05:00
bss_mem.c RT4129: BUF_new_mem_buf should take const void * 2016-01-31 14:05:13 -05:00
bss_null.c Remove /* foo.c */ comments 2016-01-26 16:40:43 -05:00
bss_sock.c Remove /* foo.c */ comments 2016-01-26 16:40:43 -05:00
build.info Update crypto/bio/build.info 2016-02-04 23:34:20 +01:00
Makefile.in Always build library object files with shared library cflags 2016-02-20 16:51:31 +01:00