Use correct length when prompting for password.
authorDr. Stephen Henson <steve@openssl.org>
Fri, 4 Apr 2014 11:44:43 +0000 (12:44 +0100)
committerDr. Stephen Henson <steve@openssl.org>
Fri, 4 Apr 2014 12:07:17 +0000 (13:07 +0100)
Use bufsiz - 1 not BUFSIZ - 1 when prompting for a password in
the openssl utility.

Thanks to Rob Mackinnon, Leviathan Security for reporting this issue.
(cherry picked from commit 7ba08a4d73c1bdfd3aced09a628b1d7d7747cdca)

apps/apps.c

index 8a6a9a29a7cd6721d65fb8a604a1cdf321e17b16..b76db10a5e5b3140a9bd2d6429e6cbf9b79b3d56 100644 (file)
@@ -586,12 +586,12 @@ int password_callback(char *buf, int bufsiz, int verify,
 
                if (ok >= 0)
                        ok = UI_add_input_string(ui,prompt,ui_flags,buf,
-                               PW_MIN_LENGTH,BUFSIZ-1);
+                               PW_MIN_LENGTH,bufsiz-1);
                if (ok >= 0 && verify)
                        {
                        buff = (char *)OPENSSL_malloc(bufsiz);
                        ok = UI_add_verify_string(ui,prompt,ui_flags,buff,
-                               PW_MIN_LENGTH,BUFSIZ-1, buf);
+                               PW_MIN_LENGTH,bufsiz-1, buf);
                        }
                if (ok >= 0)
                        do