From: Matt Caswell Date: Wed, 12 Oct 2016 15:43:03 +0000 (+0100) Subject: Ensure we handle len == 0 in ERR_err_string_n X-Git-Tag: OpenSSL_1_1_0c~84 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=953ef2cbd0645a47b8d5c1af3fe8f77f2e56c133;p=oweals%2Fopenssl.git Ensure we handle len == 0 in ERR_err_string_n If len == 0 in a call to ERR_error_string_n() then we can read beyond the end of the buffer. Really applications should not be calling this function with len == 0, but we shouldn't be letting it through either! Thanks to Agostino Sarubbo for reporting this issue. Agostino's blog on this issue is available here: https://blogs.gentoo.org/ago/2016/10/14/openssl-libcrypto-stack-based-buffer-overflow-in-err_error_string_n-err-c/ Reviewed-by: Richard Levitte (cherry picked from commit e5c1361580d8de79682958b04a5f0d262e680f8b) --- diff --git a/crypto/err/err.c b/crypto/err/err.c index c3f7212a78..29e5a03197 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -500,6 +500,9 @@ void ERR_error_string_n(unsigned long e, char *buf, size_t len) const char *ls, *fs, *rs; unsigned long l, f, r; + if (len == 0) + return; + l = ERR_GET_LIB(e); f = ERR_GET_FUNC(e); r = ERR_GET_REASON(e);