You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@santuario.apache.org by "Manuel Arguelles (Jira)" <ji...@apache.org> on 2022/08/03 22:21:00 UTC

[jira] [Created] (SANTUARIO-591) Invalid read, possible buffer overflow

Manuel Arguelles created SANTUARIO-591:
------------------------------------------

             Summary: Invalid read, possible buffer overflow
                 Key: SANTUARIO-591
                 URL: https://issues.apache.org/jira/browse/SANTUARIO-591
             Project: Santuario
          Issue Type: Bug
      Security Level: Public (Public issues, viewable by everyone)
          Components: C++
    Affects Versions: C++ 2.0.4
            Reporter: Manuel Arguelles
            Assignee: Scott Cantor


In function: OpenSSLCryptoX509::loadX509Base64Bin of xsec/enc/OpenSSL/OpenSSLCryptoX509.cpp around line 166:

 
{code:java}
m_DERX509.sbStrcpyIn(buf); {code}
 

This buf variable is the parameter of the function:
{code:java}
void OpenSSLCryptoX509::loadX509Base64Bin(const char * buf, unsigned int len) {
... {code}
Since the length is not provided, sbStrcpyIn calls strlen in buf which tries to find a null character, but the signature of the function (loadX509Base64Bin) takes the length as well, which suggest that the caller shouldn't need to provide a null terminated string.

 

A possible fix is to call sbStrncpyIn(buf, len) but it is not clear to me when m_DERX509 is used (if it is). Maybe removing this call is enough...



--
This message was sent by Atlassian Jira
(v8.20.10#820010)