Bug 35081 - buffer overrun in ssl_callback_SSLVerify_CRL( ) (ssl_engine_kernel.c)
Summary: buffer overrun in ssl_callback_SSLVerify_CRL( ) (ssl_engine_kernel.c)
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.0.54
Hardware: All All
: P1 critical (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2005-05-26 09:21 UTC by Marc Stern
Modified: 2005-06-08 03:09 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Marc Stern 2005-05-26 09:21:03 UTC
I found a buffer overrun in ssl_callback_SSLVerify_CRL( ) - ssl_engine_kernel.c:
char buff[512]; /* should be plenty */
n = BIO_read(bio, buff, sizeof(buff));
buff[n] = '\0';
If there are more than 512 bytes, n=512, thus we write in buff[512].
We should use
    n = BIO_read(bio, buff, sizeof(buff) - 1);

This could lead to a system crash.
Comment 1 Joe Orton 2005-06-03 15:15:14 UTC
Thanks, Mark.  Committed to the trunk and proposed for backport.

Please note that bugs which you think may have security implications should be
reported in the first place to security@apache.org address.
Comment 2 Joe Orton 2005-06-08 11:09:40 UTC
Merged for 2.0.55.  http://svn.apache.org/viewcvs?rev=189562&view=rev