35081 – buffer overrun in ssl_callback_SSLVerify_CRL( ) (ssl_engine_kernel.c)

Bug 35081 - buffer overrun in ssl_callback_SSLVerify_CRL( ) (ssl_engine_kernel.c)

Summary: buffer overrun in ssl_callback_SSLVerify_CRL( ) (ssl_engine_kernel.c)

Status:	CLOSED FIXED

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_ssl (show other bugs)
Version:	2.0.54
Hardware:	All All

Importance:	P1 critical (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2005-05-26 09:21 UTC by Marc Stern
Modified:	2005-06-08 03:09 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marc Stern 2005-05-26 09:21:03 UTC

I found a buffer overrun in ssl_callback_SSLVerify_CRL( ) - ssl_engine_kernel.c:
 
char buff[512]; /* should be plenty */
[...]
n = BIO_read(bio, buff, sizeof(buff));
buff[n] = '\0';
 
If there are more than 512 bytes, n=512, thus we write in buff[512].
We should use
    n = BIO_read(bio, buff, sizeof(buff) - 1);

This could lead to a system crash.

Comment 1 Joe Orton 2005-06-03 15:15:14 UTC

Thanks, Mark.  Committed to the trunk and proposed for backport.
http://svn.apache.org/viewcvs?rev=179781&view=rev

Please note that bugs which you think may have security implications should be
reported in the first place to security@apache.org address.

Comment 2 Joe Orton 2005-06-08 11:09:40 UTC

Merged for 2.0.55.  http://svn.apache.org/viewcvs?rev=189562&view=rev