Fixed, both for upcoming 1.1.0 and for 1.0.2. On Mon May 16 13:42:16 2016, levitte wrote: > Fixing old ticket. > > https://github.com/openssl/openssl/pull/1077 > > On Fri Oct 14 18:14:51 2011, ramsd...@mitre.org wrote: > > TrouSerS is an open-source TCG Software Stack by IBM. It uses OpenSSL > > to read passwords. The code in ssl_ui.c of the trousers library has a > > buffer overflow. I suspect many other applications may have the same > > problem because the documentation is not clear about how > > UI_add_input_string handles terminating null bytes. Here is the nub > > of the issue. > > > > People declare the buffer used by UI_add_input_string as: > > > > char pin_buf[UI_MAX_SECRET_STRING_LENGTH]; > > > > and then call UI_add_input_string as: > > > > if (!UI_add_input_string(ui, "Enter PIN:", 0, pin_buf, > > 1, UI_MAX_SECRET_STRING_LENGTH)) > > > > The documentation should tell them to use > > > > char pin_buf[UI_MAX_SECRET_STRING_LENGTH + 1]; > > > > because there is a buffer overflow as demonstrated by the enclosed C > > program. > > > > $ make LDLIBS=-lcrypto ui > > cc ui.c -lcrypto -o ui > > $ ./ui > > pin_buf[UI_MAX_SECRET_STRING_LENGTH] = 1 > > Enter PIN:ab > > > > strlen(pin_buf) = 2 > > pin_buf = ab > > pin_buf[UI_MAX_SECRET_STRING_LENGTH] = 0 > > $ > > > > John > > > > > -- > Richard Levitte > levi...@openssl.org
-- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=2622 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
