[openssl/openssl] 0d1a0e: Avoid potential OOB if width > sizeof(start)

Sun, 22 May 2022 17:07:48 -0700 

  Branch: refs/heads/master
  Home:   https://github.openssl.org/openssl/openssl
  Commit: 0d1a0ed63d1b4faa3711a69a19f7029947524cfa
      
https://github.openssl.org/openssl/openssl/commit/0d1a0ed63d1b4faa3711a69a19f7029947524cfa
  Author: Benny Baumann <[email protected]>
  Date:   2022-05-23 (Mon, 23 May 2022)

  Changed paths:
    M apps/lib/opt.c

  Log Message:
  -----------
  Avoid potential OOB if width > sizeof(start)

This can't currently happen due to sizeof(start) being way larger than 
MAX_OPT_HELP_WIDTH,
but wasn't checked for previously. With this patch there still remains one 
(static) OOB,
when the length of the option name and the valtype2param string for that 
argument overflow
the buffer in opt_print. This is kinda unlikely, unless someone intentionally 
crafts a
long option name, in which case this would become some trivial stack buffer 
overrun with
possibility to overwrite pointer to the OPTIONS structure (a long o->name is 
critical here).

I sincerely hope we trust our built-in documentation to not exploit ourselves.

Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/12265)


  Commit: aac6ae3774f341412bc45583ef9358df5b76a008
      
https://github.openssl.org/openssl/openssl/commit/aac6ae3774f341412bc45583ef9358df5b76a008
  Author: Benny Baumann <[email protected]>
  Date:   2022-05-23 (Mon, 23 May 2022)

  Changed paths:
    M apps/lib/opt.c

  Log Message:
  -----------
  Avoid unchecked string concatenation

To avoid the issue of overflowing the buffer start while
building up the help string prefix this rewrite of the
string building logic does multiple smaller writes to
opt_printf_stderr. While this is slower it completely
avoids the buffer overflow issue and does not place
any (unchecked) length constraints on the name of passed
options. Instead such long options are gracefully
wrapped onto the next line.

Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/12265)


Compare: 
https://github.openssl.org/openssl/openssl/compare/fb4cdca053fb...aac6ae3774f3

Reply via email to