You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by st...@lycos.co.uk on 2005/05/19 09:21:34 UTC

Buffer overrun in modssl

I think I found a buffer overrun in ssl_callback_SSLVerify_CRL( ) (ssl_engine_kernel.c):

char buff[512]; /* should be plenty */
[...]
n = BIO_read(bio, buff, sizeof(buff));
buff[n] = '\0';

If there are more than 512 bytes, n=512, thus we write in buff[512].
We should use
    n = BIO_read(bio, buff, sizeof(buff) - 1);

Am I right ?

Marc