GitHub/openssl
1
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2026-05-07 20:12:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix off-by-one s_client overflows

Browse Source 
There are one byte buffer overflows possible in s_client's handling
of STARTTLS in various protocols. If a server's response fills the entire
buffer (16k) then we attempt to add a NUL terminator one byte off the end
of the buffer.

This was reported by Igor Morgenstern from AISLE to openssl-security and
assessed by the security team as "bug or hardening only".

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Sat Apr 11 16:16:24 2026
(Merged from https://github.com/openssl/openssl/pull/30731)
This commit is contained in:
Matt Caswell
2026-04-08 16:36:42 +01:00
committed by Nikola Pajkovsky
parent 561a86e783
commit c56d37defe
1 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/s_client.c
+5 -5
View File
@@ -2720,7 +2720,7 @@ re_start:
"xmlns='jabber:%s' to='%s' version='1.0'>",
starttls_proto == PROTO_XMPP ? "client" : "server",
protohost ? protohost : host);
seen = BIO_read(sbio, mbuf, BUFSIZZ);
seen = BIO_read(sbio, mbuf, BUFSIZZ - 1);
if (seen < 0) {
BIO_printf(bio_err, "BIO_read failed\n");
goto end;
@@ -2729,7 +2729,7 @@ re_start:
while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")
&& !strstr(mbuf,
"<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\"")) {
seen = BIO_read(sbio, mbuf, BUFSIZZ);
seen = BIO_read(sbio, mbuf, BUFSIZZ - 1);
if (seen <= 0)
goto shut;
@@ -2738,7 +2738,7 @@ re_start:
}
BIO_puts(sbio,
"<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
seen = BIO_read(sbio, sbuf, BUFSIZZ);
seen = BIO_read(sbio, sbuf, BUFSIZZ - 1);
if (seen < 0) {
BIO_puts(bio_err, "BIO_read failed\n");
goto shut;
@@ -2963,7 +2963,7 @@ re_start:
"Didn't find STARTTLS in server response,"
" trying anyway...\n");
BIO_puts(sbio, "STARTTLS\r\n");
mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ);
mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ - 1);
if (mbuf_len < 0) {
BIO_puts(bio_err, "BIO_read failed\n");
goto end;
@@ -3004,7 +3004,7 @@ re_start:
"Didn't find STARTTLS in server response,"
" trying anyway...\n");
BIO_puts(sbio, "STARTTLS\r\n");
mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ);
mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ - 1);
if (mbuf_len < 0) {
BIO_puts(bio_err, "BIO_read failed\n");
goto end;