From 03cb2cc9e53f7ca7539069a388d2767fffa7cf66 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Thu, 1 Feb 2018 21:28:59 +0100 Subject: [PATCH] Fix of prefix bio filter (bf_prefix.c): rely on the given length The assumption that the received buffer has to be NUL-terminated was faulty. Fault found in #5224 Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5239) --- apps/bf_prefix.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/apps/bf_prefix.c b/apps/bf_prefix.c index 4d5e3a31c1..bae3c91bf8 100644 --- a/apps/bf_prefix.c +++ b/apps/bf_prefix.c @@ -96,7 +96,7 @@ static int prefix_write(BIO *b, const char *out, size_t outl, *numwritten = 0; - while (*out != '\0') { + while (outl > 0) { size_t i; char c; @@ -111,7 +111,7 @@ static int prefix_write(BIO *b, const char *out, size_t outl, } /* Now, go look for the next LF, or the end of the string */ - for (i = 0; (c = out[i]) != '\n' && c != '\0'; i++) + for (i = 0, c = '\0'; i < outl && (c = out[i]) != '\n'; i++) continue; if (c == '\n') i++; @@ -123,6 +123,7 @@ static int prefix_write(BIO *b, const char *out, size_t outl, if (!BIO_write_ex(BIO_next(b), out, i, &num)) return 0; out += num; + outl -= num; *numwritten += num; i -= num; } -- 2.25.1