Avoid negative array index in BIO_debug_callback()

BIO_snprintf() can return -1 on truncation (and overflow as of commit 9cb17730). Though neither can realistically occur while printing a pointer and short fixed string into a buffer of length 256, the analysis to confirm that this the case goes somewhat far up the call chain, and not all static analyzers can successfully follow the chain of logic. It's easy enough to clamp the returned length to be nonnegative before continuing, which appeases the static analyzer and does not harm the subsequent code. Reviewed-by: N Richard Levitte <levitte@openssl.org> Reviewed-by: N Rich Salz <rsalz@openssl.org>

Avoid negative array index in BIO_debug_callback()
BIO_snprintf() can return -1 on truncation (and overflow as of commit 9cb17730). Though neither can realistically occur while printing a pointer and short fixed string into a buffer of length 256, the analysis to confirm that this the case goes somewhat far up the call chain, and not all static analyzers can successfully follow the chain of logic. It's easy enough to clamp the returned length to be nonnegative before continuing, which appeases the static analyzer and does not harm the subsequent code. Reviewed-by: N Richard Levitte <levitte@openssl.org> Reviewed-by: N Rich Salz <rsalz@openssl.org>
a1673e15 · Benjamin Kaduk · Rich Salz · 80e8fdbe · a1673e15
隐藏空白更改
内联并排

Showing with 3 addition and 0 deletion

crypto/bio/bio_cb.c crypto/bio/bio_cb.c +3 -0

未找到文件。
--- a/crypto/bio/bio_cb.c
+++ b/crypto/bio/bio_cb.c
@@ -77,6 +77,9 @@ long BIO_debug_callback(BIO *bio, int cmd, const char *argp,

    len = BIO_snprintf(buf,sizeof buf,"BIO[%p]: ",(void *)bio);

+    /* Ignore errors and continue printing the other information. */
+    if (len < 0)
+        len = 0;
    p = buf + len;
    p_maxlen = sizeof(buf) - len;