I think I found a buffer overrun in
ssl_callback_SSLVerify_CRL( ) (ssl_engine_kernel.c):
char buff[512]; /* should be plenty
*/
[...] n = BIO_read(bio, buff,
sizeof(buff));
buff[n] = '\0'; If there are more than 512 bytes, n=512, thus we write in
buff[512].
We should use
n = BIO_read(bio, buff,
sizeof(buff) - 1);
Am I right
?
Marc
|