Hello everybody,
I noticed some strange behaviour of the routine 'BUF_MEM_grow': in
some conditions, the buffer content is changed, precisely: null bytes
are appended to the data. Let us denoting 'x' the value of x at the
end of the function and "old x" its value at rooutine entry, and
'size' the requested buffer length; we have:
"old max > size implies max = old max and length = size"
even if size <= length, which in this case append "length - size"
bytes to the buffer.
This means that the length field is not reliable after resizing, which
is error-prone when some routine have to use an externally provided
BUF_MEM. I noticed this when I used BUF_MEM to store strings and
wanted to append 2 strings into one BUF_MEM.
I looked at some places in the source code of OpenSSL and noticed that
the length is either saved (bio/bss_mem.c, mem_write) or ignored
(PEM_read_bio,asn1_collate_primitive, ASN1_d2i_bio). That explains
that the behaviour I describe has no undesirable effect on the currect
release.
So, I suggest to remove from BUF_MEM_grow the 2 assignements which
cause trouble, which would give the attached patch.
--
"A language is not a set of syntax rules. It is not just a set of semantics.
It's the entire culture surrounding the language itself.
So part of the cultural context in which you analyse a language
includes all the personalities and people involved."
-- Larry Wall (from "http://www.ddj.com/articles/1998/9802/9802a/9802a.htm";)
--- buffer.c Wed Sep 12 14:54:24 2001
+++ buffer-new.c Wed Sep 12 15:14:58 2001
@@ -102,7 +102,6 @@
if (str->max >= len)
{
memset(&str->data[str->length],0,len-str->length);
- str->length=len;
return(len);
}
n=(len+3)/3*4;
@@ -113,13 +112,13 @@
if (ret == NULL)
{
BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);
- len=0;
+ /* don't touch the existing content */
+ return 0;
}
else
{
- str->data=ret;
- str->length=len;
- str->max=n;
+ memset(&str->data[str->length],0,len-str->length);
+ str->data=ret; str->max=n;
}
return(len);
}
