You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by "Scott Cantor (Jira)" <ji...@apache.org> on 2022/08/04 13:03:00 UTC
[jira] [Commented] (SANTUARIO-591) Invalid read, possible buffer overflow
[ https://issues.apache.org/jira/browse/SANTUARIO-591?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17575253#comment-17575253 ]
Scott Cantor commented on SANTUARIO-591:
----------------------------------------
Agreed. I don't know if the member is in fact used, it isn't obvious if it is.
I reviewed the code for any calls to this and they're all null-terminated inputs. I really don't know that I will have any time to do a release, but this is a hell of a lot less hassle to release than Xerces so I'll do so if I can.
> Invalid read, possible buffer overflow
> --------------------------------------
>
> Key: SANTUARIO-591
> URL: https://issues.apache.org/jira/browse/SANTUARIO-591
> Project: Santuario
> Issue Type: Bug
> Security Level: Public(Public issues, viewable by everyone)
> Components: C++
> Affects Versions: C++ 2.0.4
> Reporter: Manuel Arguelles
> Assignee: Scott Cantor
> Priority: Major
>
> In function: OpenSSLCryptoX509::loadX509Base64Bin of xsec/enc/OpenSSL/OpenSSLCryptoX509.cpp around line 166:
>
> {code:java}
> m_DERX509.sbStrcpyIn(buf); {code}
>
> This buf variable is the parameter of the function:
> {code:java}
> void OpenSSLCryptoX509::loadX509Base64Bin(const char * buf, unsigned int len) {
> ... {code}
> Since the length is not provided, sbStrcpyIn calls strlen in buf which tries to find a null character, but the signature of the function (loadX509Base64Bin) takes the length as well, which suggest that the caller shouldn't need to provide a null terminated string.
>
> A possible fix is to call sbStrncpyIn(buf, len) but it is not clear to me when m_DERX509 is used (if it is). Maybe removing this call is enough...
--
This message was sent by Atlassian Jira
(v8.20.10#820010)