From 189dbdd99416a481d49a43bd7f4a8ab90bef1e85 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 31 Jul 2019 09:27:05 +0200 Subject: [PATCH] ERR: fix err_data_size inconsistencies In ERR_add_error_vdata(), the size of err_data had 1 added to it in some spots, which could lead to buffer overflow. In ERR_vset_error(), ERR_MAX_DATA_SIZE was used instead of buf_size in the BIO_vsnprintf() call, which would lead to a buffer overflow if such a large buffer couldn't be allocated. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/9491) --- crypto/err/err.c | 6 +++--- crypto/err/err_blocks.c | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/crypto/err/err.c b/crypto/err/err.c index f129c1c7d6684..24549e3a4935d 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -795,18 +795,18 @@ void ERR_add_error_vdata(int num, va_list args) if (arg == NULL) arg = ""; len += strlen(arg); - if (len > size) { + if (len >= size) { char *p; size = len + 20; - p = OPENSSL_realloc(str, size + 1); + p = OPENSSL_realloc(str, size); if (p == NULL) { OPENSSL_free(str); return; } str = p; } - OPENSSL_strlcat(str, arg, (size_t)size + 1); + OPENSSL_strlcat(str, arg, (size_t)size); } if (!err_set_error_data_int(str, size, flags, 0)) OPENSSL_free(str); diff --git a/crypto/err/err_blocks.c b/crypto/err/err_blocks.c index 49086bd0c2242..cf1bb9708aba1 100644 --- a/crypto/err/err_blocks.c +++ b/crypto/err/err_blocks.c @@ -85,7 +85,7 @@ void ERR_vset_error(int lib, int reason, const char *fmt, va_list args) } if (buf != NULL) { - printed_len = BIO_vsnprintf(buf, ERR_MAX_DATA_SIZE, fmt, args); + printed_len = BIO_vsnprintf(buf, buf_size, fmt, args); } if (printed_len < 0) printed_len = 0;