You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by "Manuel Arguelles (Jira)" <ji...@apache.org> on 2022/08/03 22:21:00 UTC
[jira] [Created] (SANTUARIO-591) Invalid read, possible buffer overflow
Manuel Arguelles created SANTUARIO-591:
------------------------------------------
Summary: Invalid read, possible buffer overflow
Key: SANTUARIO-591
URL: https://issues.apache.org/jira/browse/SANTUARIO-591
Project: Santuario
Issue Type: Bug
Security Level: Public (Public issues, viewable by everyone)
Components: C++
Affects Versions: C++ 2.0.4
Reporter: Manuel Arguelles
Assignee: Scott Cantor
In function: OpenSSLCryptoX509::loadX509Base64Bin of xsec/enc/OpenSSL/OpenSSLCryptoX509.cpp around line 166:
{code:java}
m_DERX509.sbStrcpyIn(buf); {code}
This buf variable is the parameter of the function:
{code:java}
void OpenSSLCryptoX509::loadX509Base64Bin(const char * buf, unsigned int len) {
... {code}
Since the length is not provided, sbStrcpyIn calls strlen in buf which tries to find a null character, but the signature of the function (loadX509Base64Bin) takes the length as well, which suggest that the caller shouldn't need to provide a null terminated string.
A possible fix is to call sbStrncpyIn(buf, len) but it is not clear to me when m_DERX509 is used (if it is). Maybe removing this call is enough...
--
This message was sent by Atlassian Jira
(v8.20.10#820010)