PHP :: Bug #42222 :: php_openssl_make

Bug #42222	php_openssl_make_REQ() buffer overflow
Submitted:	2007-08-06 18:10 UTC	Modified:	2007-08-06 19:13 UTC
From:	zatanzlatan at hotbrev dot com	Assigned:	pajoye (profile)
Status:	Closed	Package:	OpenSSL related
PHP Version:	5CVS-2007-08-06 (CVS)	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	zatanzlatan at hotbrev dot com
New email:
PHP Version:		OS:

New Comment:

[2007-08-06 18:10 UTC] zatanzlatan at hotbrev dot com

Description:
------------
function php_openssl_make_REQ() in ext/openssl/openssl.c has buffer overflow when parsing openssl.conf

look at this:

			char buffer[200];
			
			v = sk_CONF_VALUE_value(dn_sk, i);
			type = v->name;
			
			len = strlen(type);
			if (len < sizeof("_default")) {
				continue;
			}
			len -= sizeof("_default") - 1;
			if (strcmp("_default", type + len) != 0) {
				continue;
			}
			
			memcpy(buffer, type, len);
			buffer[len] = '\0';

no check if name field with "_default" removed is larger than 200!

if u change "0.organizationName_default" in openssl.conf to "0." + 300 chars + "_default" then the buffer will be overflown in the memcpy().

Reproduce code:
---------------
u can test this with openssl_csr_new().

Expected result:
----------------
program should keep running.

Actual result:
--------------
program crashed.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-08-06 19:13 UTC] pajoye@php.net

Thanks for the detailed report!

Fixed in 5.2 and HEAD.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Mar 11 04:01:28 2025 UTC