[EMAIL PROTECTED] - Tue Mar 11 20:37:22 2003]: > Hi, > > The example code that comes with openssl comes with a file 'selfsign.c' > which I used to generate a key. I modified the line that calls > X509_gmtime_adj to 100 years because I didn't care about key expiry > (this is probably the wrong way to do it, but...). > > This generated a large negative adjustment, which isn't trapped by the > function until it gets to ASN1_GENERALIZEDTIME_set. There, the call to > OPENSSL_gmtime fails and is initialised with random junk from the stack > - the 'data' variable is passed into this function uninitialised, and if > gmtime() fails it just returns it as the result without checking). > > This random junk is then sprintf()ed into a fixed length buffer of 20 > bytes, but the resulting string on my machine is 47 bytes, causing > failure of the app a few lines later. > > It seems that only the Win32 gmtime() returns NULL if its argument is > negative... gcc seems to return valid data, however NULL is a valid > return value and should be checked for & handled correctly. >
Have you tried this in OpenSSL 0.9.7a? Steve. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
