projects / openssl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: f792c66) | patch
Avoid some undefined pointer arithmetic
authorMatt Caswell <matt@openssl.org>
Thu, 5 May 2016 10:10:26 +0000 (11:10 +0100)
committerMatt Caswell <matt@openssl.org>
Wed, 1 Jun 2016 13:22:40 +0000 (14:22 +0100)
commita004e72b95835136d3f1ea90517f706c24c03da7
tree2c8c502f9c7748209fbb41ac48b952afe73f84a8tree | snapshot
parentf792c663048f19347a1bb72125e535e4fb2ecf39commit | diff
Avoid some undefined pointer arithmetic

A common idiom in the codebase is:

if (p + len > limit)
{
    return; /* Too long */
}

Where "p" points to some malloc'd data of SIZE bytes and
limit == p + SIZE

"len" here could be from some externally supplied data (e.g. from a TLS
message).

The rules of C pointer arithmetic are such that "p + len" is only well
defined where len <= SIZE. Therefore the above idiom is actually
undefined behaviour.

For example this could cause problems if some malloc implementation
provides an address for "p" such that "p + len" actually overflows for
values of len that are too big and therefore p + len < limit!

Issue reported by Guido Vranken.

CVE-2016-2177

Reviewed-by: Rich Salz <rsalz@openssl.org>
ssl/s3_srvr.c diff | blob | history
ssl/ssl_sess.c diff | blob | history
ssl/t1_lib.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.