On 16/09/16 08:09, sivagopiraju wrote: > And a small understanding. > > We are supplying buffer is about to 128 bytes to fill the converted message, > So, if the obj(ASN1_OBJECT) size is more than that(supplied buffer) size > OBJ_obj2txt will do truncate and will return the obj(ASN1_OBJECT) message > length. It results in more than 128(returned length) bytes. Because of this > crash is happening.
Yes. If OBJ_obj2txt() would normally supply a string of length (say) 256 bytes, then it will truncate it (with a NUL terminator) into the supplied 128 byte buffer. It will still return a value of 256 though. Then when we call BIO_write() we tell it to write 256 bytes from the 128 byte buffer == Out-of-bounds read. This could mean a crash, or writing arbitrary memory contents to the BIO. By using BIO_printf() instead we only print the string up to the NUL terminator which should always be within the 128 byte buffer. Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
