Ensure we handle len == 0 in ERR_err_string_n
authorMatt Caswell <matt@openssl.org>
Wed, 12 Oct 2016 15:43:03 +0000 (16:43 +0100)
committerMatt Caswell <matt@openssl.org>
Sat, 15 Oct 2016 10:30:15 +0000 (11:30 +0100)
commite5c1361580d8de79682958b04a5f0d262e680f8b
tree0afcd4bb7b036e7bd52911ea465db5df3eb1e88b
parent3ff3ee7a19e84076f67beeda1cf5e9d8b2380429
Ensure we handle len == 0 in ERR_err_string_n

If len == 0 in a call to ERR_error_string_n() then we can read beyond the
end of the buffer. Really applications should not be calling this function
with len == 0, but we shouldn't be letting it through either!

Thanks to Agostino Sarubbo for reporting this issue. Agostino's blog on
this issue is available here:
https://blogs.gentoo.org/ago/2016/10/14/openssl-libcrypto-stack-based-buffer-overflow-in-err_error_string_n-err-c/

Reviewed-by: Richard Levitte <levitte@openssl.org>
crypto/err/err.c