From: Sunil Singh [mailto:ekodevelop...@gmail.com] Sent: Saturday, August 27, 2016 2:42 AM To: Salz, Rich; openssl-secur...@openssl.org Subject: Re: [openssl-security] Multiple issue with BIO_new_file Internal function (potential stack overflow/Crash)
I don't think its right to say that its not a security bug, if somebody pass a huge filename string which results is _alloca failure obviously its leads to stack overflow on the same grounds i can lightly compare it to malloc and not checking its return value? Input to function can come from any place why do you think its should not be validated? Also if i agrees with you i can say simply strlen(...) is also valid then but its depreciated by MSFT and other strlen_l(...) is provided which accept size For you convenience check this http://linux.die.net/man/3/alloca<https://urldefense.proofpoint.com/v2/url?u=http-3A__linux.die.net_man_3_alloca&d=DQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=_xenUXw54Vwrmr9QVCWYxSONPQG94qwrC9F7G7ZdMRs&s=d3M070FP5xpSNFJlZjfQrt1V6g2ye8RbAsBw7qDF2Zo&e=> http://stackoverflow.com/questions/1018853/why-is-the-use-of-alloca-not-considered-good-practice<https://urldefense.proofpoint.com/v2/url?u=http-3A__stackoverflow.com_questions_1018853_why-2Dis-2Dthe-2Duse-2Dof-2Dalloca-2Dnot-2Dconsidered-2Dgood-2Dpractice&d=DQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=_xenUXw54Vwrmr9QVCWYxSONPQG94qwrC9F7G7ZdMRs&s=hOMJ7I8gD1x8k9rv16QJesfvbGKSCsEdufsBAYtkIKk&e=> Also previously i provided already MSFT link which clearly mentions about its usage Thanks On Fri, Aug 26, 2016 at 10:44 PM, Salz, Rich <rs...@akamai.com<mailto:rs...@akamai.com>> wrote: This is not a security bug; an application program could mis-use the API. Thanks for looking at the code! -- Senior Architect, Akamai Technologies IM: richs...@jabber.at<mailto:richs...@jabber.at> Twitter: RichSalz From: Sunil Singh [mailto:ekodevelop...@gmail.com<mailto:ekodevelop...@gmail.com>] Sent: Friday, August 26, 2016 1:09 PM To: openssl-secur...@openssl.org<mailto:openssl-secur...@openssl.org> Subject: [openssl-security] Multiple issue with BIO_new_file Internal function (potential stack overflow/Crash) Hello, While working on the program of https://hackerone.com/ibb-openssl<https://urldefense.proofpoint.com/v2/url?u=https-3A__hackerone.com_ibb-2Dopenssl&d=DQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=O8lneP_6_5N9qiCekWJOk7IstOy6tCiTBi3rMhcTchQ&s=wNNnK1nNjPnJhjd9CDXvAHuCzefnlYSwSb9hfmXaiss&e=> this was found Report Below:- Function Design issue 1. in BIO_new_file no check of filename param 2. in internal function call static FILE *file_fopen(const char *filename, const char *mode) again no check of filename param 3. At WCHAR *wfilename = _alloca(sz * sizeof(WCHAR)) Refer to https://msdn.microsoft.com/en-us/library/wb1s57t5.aspx<https://urldefense.proofpoint.com/v2/url?u=https-3A__msdn.microsoft.com_en-2Dus_library_wb1s57t5.aspx&d=DQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=O8lneP_6_5N9qiCekWJOk7IstOy6tCiTBi3rMhcTchQ&s=3Ph_yoB8OERME1nlep5G0JENm0w51OnCbZaLDpAdHqM&e=> for proper use of _alloca it must be guarded can cause stack overflow in case stack memory not fulfilled and again no return value(wfilename ) is checked Thanks, Sunil Singh -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4662 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
