CVE-2016-2180

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 16/09/16 08:09, sivagopiraju wrote:
> And a small understanding.
> 
> We are supplying buffer is about to 128 bytes to fill the converted message,
> So, if the obj(ASN1_OBJECT) size is more than that(supplied buffer) size
> OBJ_obj2txt will do truncate and will return the obj(ASN1_OBJECT) message
> length.  It results in more than 128(returned length) bytes. Because of this
> crash is happening.

Yes. If OBJ_obj2txt() would normally supply a string of length (say) 256
bytes, then it will truncate it (with a NUL terminator) into the
supplied 128 byte buffer. It will still return a value of 256 though.

Then when we call BIO_write() we tell it to write 256 bytes from the 128
byte buffer == Out-of-bounds read. This could mean a crash, or writing
arbitrary memory contents to the BIO.

By using BIO_printf() instead we only print the string up to the NUL
terminator which should always be within the 128 byte buffer.

Matt



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux