New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Uninitialized garbage in error message #318

Closed
sneis opened this Issue Jun 18, 2015 · 1 comment

Comments

Projects
None yet
2 participants
@sneis

sneis commented Jun 18, 2015

If you look at lib/vtls/openssl.c there is an uninitialized char array error_buffer in ossl_connect_step2. If you look at the switch statement following the declatation of error_buffer, you may end in the code for case 0x14090086: which contains something like if (...) { /* set error_buffer */ } else cert_problem="SSL certificate problem, verify that the CA cert is OK" ; Note that if you get to the else part, error_buffer is not touched! Then right before the return you call failf(data, "%s%s", cert_problem ? cert_problem : "", error_buffer); which copies the uninitialized buffer right after the message about the certificate problem, so we get arbitrary "garbage" in the error output.

@bagder bagder self-assigned this Jun 18, 2015

@bagder bagder added the SSL/TLS label Jun 18, 2015

bagder added a commit that referenced this issue Jun 18, 2015

openssl: fix use of uninitialized buffer
Make sure that the error buffer is always initialized and simplify the
use of it to make the logic easier.

Bug: #318
Reported-by: sneis
@bagder

This comment has been minimized.

Show comment
Hide comment
@bagder

bagder Jun 18, 2015

Member

Thanks lot, fixed in 26ddc53

Member

bagder commented Jun 18, 2015

Thanks lot, fixed in 26ddc53

@bagder bagder closed this Jun 18, 2015

jgsogo added a commit to jgsogo/curl that referenced this issue Oct 19, 2015

openssl: fix use of uninitialized buffer
Make sure that the error buffer is always initialized and simplify the
use of it to make the logic easier.

Bug: curl#318
Reported-by: sneis

@lock lock bot locked as resolved and limited conversation to collaborators May 7, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.