Hi,
When openssl(1) passwd is invoked without passing in the `password' as argument
, meaning interactively, and if the password is 10 or more characters it will
show the following memory corruption error, and using -crypt which is the
default:
openssl(43025) in free(): chunck canary corrupted 0x13a8dc4a1bb0 0xa@0xa
pw_len is set to 8, then passwd_malloc_size is set to pw_len + 2 in order to be
able to warn the user that the password will be truncated then it calls
EVP_read_pw_string(3) which allocates the space size of the input buffer, in
this case password_malloc_size plus 1 for the NUL-termination character through
strlcpy(3).
When we finally call free(password_malloc) the sizes will differ and the memory
will be corrupted, in order to solve this when we allocate memory for the input
buffer we need to add plus 1 for the NUL-termination character.
Comments? OK?
Index: passwd.c
===================================================================
RCS file: /cvs/src/usr.bin/openssl/passwd.c,v
retrieving revision 1.9
diff -u -p -u -r1.9 passwd.c
--- passwd.c 7 Feb 2018 05:47:55 -0000 1.9
+++ passwd.c 8 Aug 2018 13:00:40 -0000
@@ -213,7 +213,7 @@ passwd_main(int argc, char **argv)
passwd_malloc_size = pw_maxlen + 2;
/* longer than necessary so that we can warn about truncation */
- passwd = passwd_malloc = malloc(passwd_malloc_size);
+ passwd = passwd_malloc = malloc(passwd_malloc_size + 1);
if (passwd_malloc == NULL)
goto err;
}
