php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #42222 php_openssl_make_REQ() buffer overflow
Submitted: 2007-08-06 18:10 UTC Modified: 2007-08-06 19:13 UTC
From: zatanzlatan at hotbrev dot com Assigned: pajoye
Status: Closed Package: OpenSSL related
PHP Version: 5CVS-2007-08-06 (CVS) OS: Linux
Private report: No CVE-ID:
 [2007-08-06 18:10 UTC] zatanzlatan at hotbrev dot com
Description:
------------
function php_openssl_make_REQ() in ext/openssl/openssl.c has buffer overflow when parsing openssl.conf

look at this:

			char buffer[200];
			
			v = sk_CONF_VALUE_value(dn_sk, i);
			type = v->name;
			
			len = strlen(type);
			if (len < sizeof("_default")) {
				continue;
			}
			len -= sizeof("_default") - 1;
			if (strcmp("_default", type + len) != 0) {
				continue;
			}
			
			memcpy(buffer, type, len);
			buffer[len] = '\0';

no check if name field with "_default" removed is larger than 200!

if u change "0.organizationName_default" in openssl.conf to "0." + 300 chars + "_default" then the buffer will be overflown in the memcpy().

Reproduce code:
---------------
u can test this with openssl_csr_new().

Expected result:
----------------
program should keep running.

Actual result:
--------------
program crashed.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-08-06 19:13 UTC] pajoye@php.net
Thanks for the detailed report!

Fixed in 5.2 and HEAD.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 12:02:07 2014 UTC