[EMAIL PROTECTED] - Fri Nov 22 10:27:16 2002]: > > OS: Windows, but I think it is a cross-platform bug. > Version: 0.9.6g > > In the following function which is called from > PKCS7_sign, if the source text contains a line of text > which is exactly a mutiple of MAX_SMLEN-2 characters > long and has a CRLF line ending, then the gets call > will return a buffer which ends with just a CR, and > then on the next call a line that contains just an LF, > which will result in two CRLF pairs being put into the > output. > > A harmless bit of buggy coding is also present. The > value of len is not checked in the inner while loop. > Any line which only contains CR or LF characters will > cause len to go to 0, and the memory location > linebuf[-1] will be read. Its extremely unlikely that > the value at that location is a CR or LF, so usually > the loop terminates anyway. But, its not nice to go > out of bounds, and I imagine memory protection faults > could be triggered on some platforms. > > This only affects callers who do not pass PKCS7_BINARY > in the flags parameter (our work-around was to > normalize the line endings ourselves and then pass > PKCS7_BINARY). >
Should be fixed no in 0.9.7-stable and 0.9.8-dev. Please check the next snapshot. Steve. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
