Skip to content
Permalink
Browse files

vtls: fix potential ssl_buffer stack overflow

In Curl_multissl_version() it was possible to overflow the passed in
buffer if the generated version string exceeded the size of the buffer.
Fix by inverting the logic, and also make sure to not exceed the local
buffer during the string generation.

Closes #3863
Reported-by: nevv on HackerOne/curl
Reviewed-by: Jay Satiro
Reviewed-by: Daniel Stenberg
  • Loading branch information...
danielgustafsson committed May 13, 2019
1 parent ae3f838 commit b4bb920405a6eb045f9e1fc3b5e05715bca2b0b4
Showing with 5 additions and 4 deletions.
  1. +5 −4 lib/vtls/vtls.c
@@ -1239,31 +1239,32 @@ static size_t Curl_multissl_version(char *buffer, size_t size)

if(current != selected) {
char *p = backends;
char *end = backends + sizeof(backends);
int i;

selected = current;

for(i = 0; available_backends[i]; i++) {
for(i = 0; available_backends[i] && p < (end - 4); i++) {
if(i)
*(p++) = ' ';
if(selected != available_backends[i])
*(p++) = '(';
p += available_backends[i]->version(p, backends + sizeof(backends) - p);
p += available_backends[i]->version(p, end - p - 2);
if(selected != available_backends[i])
*(p++) = ')';
}
*p = '\0';
total = p - backends;
}

if(size < total)
if(size > total)
memcpy(buffer, backends, total + 1);
else {
memcpy(buffer, backends, size - 1);
buffer[size - 1] = '\0';
}

return total;
return CURLMIN(size - 1, total);
}

static int multissl_init(const struct Curl_ssl *backend)

0 comments on commit b4bb920

Please sign in to comment.
You can’t perform that action at this time.