Address potential buffer overflows.

Reviewed-by: N Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3878)

Address potential buffer overflows.
Reviewed-by: N Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3878)
86ba26c8 · Pauli · b4df712a · 86ba26c8 · 86ba26c8 · 86ba26c8
显示空白变更内容
内联并排

Showing with 80 addition and 46 deletion

crypto/bn/bn_print.c crypto/bn/bn_print.c +15 -12

crypto/mem_dbg.c crypto/mem_dbg.c +45 -17

crypto/pem/pem_lib.c crypto/pem/pem_lib.c +20 -17

未找到文件。
--- a/crypto/bn/bn_print.c
+++ b/crypto/bn/bn_print.c
@@ -52,7 +52,7 @@ char *BN_bn2hex(const BIGNUM *a)
 /* Must 'OPENSSL_free' the returned data */
 char *BN_bn2dec(const BIGNUM *a)
 {
-    int i = 0, num, ok = 0;
+    int i = 0, num, ok = 0, n, tbytes;
    char *buf = NULL;
    char *p;
    BIGNUM *t = NULL;
@@ -67,9 +67,10 @@ char *BN_bn2dec(const BIGNUM *a)
     */
    i = BN_num_bits(a) * 3;
    num = (i / 10 + i / 1000 + 1) + 1;
+    tbytes = num + 3;   /* negative and terminator and one spare? */
    bn_data_num = num / BN_DEC_NUM + 1;
    bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG));
-    buf = OPENSSL_malloc(num + 3);
+    buf = OPENSSL_malloc(tbytes);
    if ((buf == NULL) || (bn_data == NULL)) {
        BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);
        goto err;
@@ -100,14 +101,16 @@ char *BN_bn2dec(const BIGNUM *a)
         * the last one needs truncation. The blocks need to be reversed in
         * order.
         */
-        sprintf(p, BN_DEC_FMT1, *lp);
+        n = BIO_snprintf(p, tbytes - (size_t)(p - buf), BN_DEC_FMT1, *lp);
-        while (*p)
+        if (n < 0)
-            p++;
+            goto err;
+        p += n;
        while (lp != bn_data) {
            lp--;
-            sprintf(p, BN_DEC_FMT2, *lp);
+            n = BIO_snprintf(p, tbytes - (size_t)(p - buf), BN_DEC_FMT2, *lp);
-            while (*p)
+            if (n < 0)
-                p++;
+                goto err;
+            p += n;
        }
    }
    ok = 1;
@@ -331,11 +334,11 @@ char *BN_options(void)
    if (!init) {
        init++;
 #ifdef BN_LLONG
-        sprintf(data, "bn(%d,%d)",
+        BIO_snprintf(data, sizeof(data), "bn(%zu,%zu)",
-                (int)sizeof(BN_ULLONG) * 8, (int)sizeof(BN_ULONG) * 8);
+                     sizeof(BN_ULLONG) * 8, sizeof(BN_ULONG) * 8);
 #else
-        sprintf(data, "bn(%d,%d)",
+        BIO_snprintf(data, sizeof(data), "bn(%zu,%zu)",
-                (int)sizeof(BN_ULONG) * 8, (int)sizeof(BN_ULONG) * 8);
+                     sizeof(BN_ULONG) * 8, sizeof(BN_ULONG) * 8);
 #endif
    }
    return data;

--- a/crypto/mem_dbg.c
+++ b/crypto/mem_dbg.c
@@ -453,8 +453,9 @@ static void print_leak(const MEM *m, MEM_LEAK *l)
 {
    char buf[1024];
    char *bufp = buf;
+    size_t len = sizeof(buf), ami_cnt;
    APP_INFO *amip;
-    int ami_cnt;
+    int n;
    struct tm *lcl = NULL;
    /*
     * Convert between CRYPTO_THREAD_ID (which could be anything at all) and
@@ -468,21 +469,37 @@ static void print_leak(const MEM *m, MEM_LEAK *l)
    CRYPTO_THREAD_ID ti;
    lcl = localtime(&m->time);
-    sprintf(bufp, "[%02d:%02d:%02d] ", lcl->tm_hour, lcl->tm_min, lcl->tm_sec);
+    n = BIO_snprintf(bufp, len, "[%02d:%02d:%02d] ",
-    bufp += strlen(bufp);
+                     lcl->tm_hour, lcl->tm_min, lcl->tm_sec);
+    if (n <= 0) {
+        bufp[0] = '\0';
+        return;
+    }
+    bufp += n;
+    len -= n;
-    sprintf(bufp, "%5lu file=%s, line=%d, ", m->order, m->file, m->line);
+    n = BIO_snprintf(bufp, len, "%5lu file=%s, line=%d, ",
-    bufp += strlen(bufp);
+                     m->order, m->file, m->line);
+    if (n <= 0)
+        return;
+    bufp += n;
+    len -= n;
    tid.ltid = 0;
    tid.tid = m->threadid;
-    sprintf(bufp, "thread=%lu, ", tid.ltid);
+    n = BIO_snprintf(bufp, len, "thread=%lu, ", tid.ltid);
-    bufp += strlen(bufp);
+    if (n <= 0)
+        return;
+    bufp += n;
+    len -= n;
-    sprintf(bufp, "number=%d, address=%p\n", m->num, m->addr);
+    n = BIO_snprintf(bufp, len, "number=%d, address=%p\n", m->num, m->addr);
-    bufp += strlen(bufp);
+    if (n <= 0)
+        return;
+    bufp += n;
+    len -= n;
-    l->print_cb(buf, strlen(buf), l->print_cb_arg);
+    l->print_cb(buf, (size_t)(bufp - buf), l->print_cb_arg);
    l->chunks++;
    l->bytes += m->num;
@@ -498,23 +515,34 @@ static void print_leak(const MEM *m, MEM_LEAK *l)
            int info_len;
            ami_cnt++;
+            if (ami_cnt >= sizeof(buf) - 1)
+                break;
            memset(buf, '>', ami_cnt);
+            buf[ami_cnt] = '\0';
            tid.ltid = 0;
            tid.tid = amip->threadid;
-            sprintf(buf + ami_cnt, " thread=%lu, file=%s, line=%d, info=\"",
+            n = BIO_snprintf(buf + ami_cnt, sizeof(buf) - ami_cnt,
+                             " thread=%lu, file=%s, line=%d, info=\"",
                             tid.ltid, amip->file, amip->line);
-            buf_len = strlen(buf);
+            if (n <= 0)
+                break;
+            buf_len = ami_cnt + n;
            info_len = strlen(amip->info);
            if (128 - buf_len - 3 < info_len) {
                memcpy(buf + buf_len, amip->info, 128 - buf_len - 3);
                buf_len = 128 - 3;
            } else {
-                strcpy(buf + buf_len, amip->info);
+                n = BIO_snprintf(buf + buf_len, sizeof(buf) - buf_len, "%s",
-                buf_len = strlen(buf);
+                                 amip->info);
+                if (n < 0)
+                    break;
+                buf_len += n;
            }
-            sprintf(buf + buf_len, "\"\n");
+            n = BIO_snprintf(buf + buf_len, sizeof(buf) - buf_len, "\"\n");
+            if (n <= 0)
+                break;
-            l->print_cb(buf, strlen(buf), l->print_cb_arg);
+            l->print_cb(buf, buf_len + n, l->print_cb_arg);
            amip = amip->next;
        }

--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
 /*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@@ -71,6 +71,7 @@ int PEM_def_callback(char *buf, int num, int w, void *key)
 void PEM_proc_type(char *buf, int type)
 {
    const char *str;
+    char *p = buf + strlen(buf);
    if (type == PEM_TYPE_ENCRYPTED)
        str = "ENCRYPTED";
@@ -81,27 +82,29 @@ void PEM_proc_type(char *buf, int type)
    else
        str = "BAD-TYPE";
-    strcat(buf, "Proc-Type: 4,");
+    BIO_snprintf(p, PEM_BUFSIZE - (size_t)(p - buf), "Proc-Type: 4,%s\n", str);
-    strcat(buf, str);
-    strcat(buf, "\n");
 }
 void PEM_dek_info(char *buf, const char *type, int len, char *str)
 {
-    static const unsigned char map[17] = "0123456789ABCDEF";
    long i;
-    int j;
+    char *p = buf + strlen(buf);
+    int j = PEM_BUFSIZE - (size_t)(p - buf), n;
-    strcat(buf, "DEK-Info: ");
+    n = BIO_snprintf(p, j, "DEK-Info: %s,", type);
-    strcat(buf, type);
+    if (n > 0) {
-    strcat(buf, ",");
+        j -= n;
-    j = strlen(buf);
+        p += n;
        for (i = 0; i < len; i++) {
-        buf[j + i * 2] = map[(str[i] >> 4) & 0x0f];
+            n = BIO_snprintf(p, j, "%02X", 0xff & str[i]);
-        buf[j + i * 2 + 1] = map[(str[i]) & 0x0f];
+            if (n <= 0)
+                return;
+            j -= n;
+            p += n;
+        }
+        if (j > 1)
+            strcpy(p, "\n");
    }
-    buf[j + i * 2] = '\n';
-    buf[j + i * 2 + 1] = '\0';
 }
 #ifndef OPENSSL_NO_STDIO