I am not 100% sure this is a real bug, hence first tried mailing
openssl-users instead of rt@. But since there was no reply, I am sending
this to rt@
641 if (is_sslv3)
642 {
<snip>
647 unsigned overhang = header_length-md_block_size;
648 md_transform(md_state.c, header);
649 memcpy(first_block, header + md_block_size,
overhang);
My suspicion lies in line 649, where we're copying overhang number of bytes
from (header + md_block_size). I believe that copying from (header +
md_block_size) is out-of-bound access (overrun).
header is an array of 13 unsigned chars, and md_block_size == 64 (or 128 in some
cases). Hence (header + md_block_size) points outside of header[13]. Assuming
overhang > 0, by doing a memcpy(), we have a problem, no?
Thanks
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
