PHP :: Bug #42222 :: php_openssl_make_REQ() buffer overflow
| Bug #42222 | php_openssl_make_REQ() buffer overflow | ||||
|---|---|---|---|---|---|
| Submitted: | 2007-08-06 18:10 UTC | Modified: | 2007-08-06 19:13 UTC | ||
| From: | zatanzlatan at hotbrev dot com | Assigned: | pajoye (profile) | ||
| Status: | Closed | Package: | OpenSSL related | ||
| PHP Version: | 5CVS-2007-08-06 (CVS) | OS: | Linux | ||
| Private report: | No | CVE-ID: | None | ||
[2007-08-06 18:10 UTC] zatanzlatan at hotbrev dot com
Description:
------------
function php_openssl_make_REQ() in ext/openssl/openssl.c has buffer overflow when parsing openssl.conf
look at this:
char buffer[200];
v = sk_CONF_VALUE_value(dn_sk, i);
type = v->name;
len = strlen(type);
if (len < sizeof("_default")) {
continue;
}
len -= sizeof("_default") - 1;
if (strcmp("_default", type + len) != 0) {
continue;
}
memcpy(buffer, type, len);
buffer[len] = '\0';
no check if name field with "_default" removed is larger than 200!
if u change "0.organizationName_default" in openssl.conf to "0." + 300 chars + "_default" then the buffer will be overflown in the memcpy().
Reproduce code:
---------------
u can test this with openssl_csr_new().
Expected result:
----------------
program should keep running.
Actual result:
--------------
program crashed.
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2007-08-06 19:13 UTC] pajoye@php.net