New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Overflow prevention #3878
Overflow prevention #3878
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor stuff.
crypto/bn/bn_print.c
Outdated
@@ -67,9 +67,10 @@ char *BN_bn2dec(const BIGNUM *a) | |||
*/ | |||
i = BN_num_bits(a) * 3; | |||
num = (i / 10 + i / 1000 + 1) + 1; | |||
tbytes = num + 3; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why +3? A comment here would help.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was in the original code in the malloc which was comment free.
Negative sign and null terminator are two. I've no idea why 3.
The derivation of the bound on num in the comment above looks correct.
crypto/pem/pem_lib.c
Outdated
@@ -71,6 +71,7 @@ int PEM_def_callback(char *buf, int num, int w, void *key) | |||
void PEM_proc_type(char *buf, int type) | |||
{ | |||
const char *str; | |||
char *p = strchr(buf, '\0'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this anything other than buf+strlen(buf) ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nope, they do the same thing.
Want these changed?
crypto/pem/pem_lib.c
Outdated
} | ||
buf[j + i * 2] = '\n'; | ||
buf[j + i * 2 + 1] = '\0'; | ||
char *p = strchr(buf, '\0'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same strlen comment.
crypto/pem/pem_lib.c
Outdated
buf[j + i * 2] = '\n'; | ||
buf[j + i * 2 + 1] = '\0'; | ||
char *p = strchr(buf, '\0'); | ||
int j = PEM_BUFSIZE - (p - buf), n; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
int cast on the pointer subtraction
crypto/pem/pem_lib.c
Outdated
p += n; | ||
} | ||
if (j > 1) | ||
memcpy(p, "\n", sizeof("\n")); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
strcpy(p, "\n") seems more clear.
@@ -570,14 +573,14 @@ static int load_iv(char **fromp, unsigned char *to, int num) | |||
v = OPENSSL_hexchar2int(*from); | |||
if (v < 0) { | |||
PEMerr(PEM_F_LOAD_IV, PEM_R_BAD_IV_CHARS); | |||
return (0); | |||
return 0; | |||
} | |||
from++; | |||
to[i / 2] |= v << (long)((!(i & 1)) * 4); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
side note: whoever wrote that expression should be smacked.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree. I didn't notice it.
Yes, please change them; strlen is more obvious.
|
Okay fine
|
Changes are in. |
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3878)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3878)
Addressing strcpy, strcat and sprintf issues in
crypto/bn/bn_print.c
,crypto/mem_dbg.c
andcrypto/pem/pem_lib.c
Also replace
return (x)
withreturn x