A scanning tool we use to scan our code for runtime problems such as buffer overruns, possible NULL pointer dereferencing, memory leaks, etc. has found a bug in the str_copy routine in conf_def.c. At line 621 (in 1.0.1k), there is a call to BUF_MEM_grow_clean but the return value is not checked. If that call fails, we continue to use the memory assuming the expansion succeeded and will either dereference NULL (if the buffer was empty to begin with) or likely write off the end of the buffer.
I have attached a patch. Graeme Perrow
str_cpy.patch
Description: Binary data
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
