You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by st...@lycos.co.uk on 2005/05/19 09:21:34 UTC
Buffer overrun in modssl
I think I found a buffer overrun in ssl_callback_SSLVerify_CRL( ) (ssl_engine_kernel.c):
char buff[512]; /* should be plenty */
[...]
n = BIO_read(bio, buff, sizeof(buff));
buff[n] = '\0';
If there are more than 512 bytes, n=512, thus we write in buff[512].
We should use
n = BIO_read(bio, buff, sizeof(buff) - 1);
Am I right ?
Marc