You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
staticvoiddoapr_outch(char**sbuffer,
char**buffer, size_t*currlen, size_t*maxlen, intc)
{
/* If we haven't at least one buffer, someone has doe a big booboo */assert(*sbuffer!=NULL||buffer!=NULL);
/* |currlen| must always be <= |*maxlen| */assert(*currlen <= *maxlen);
if (buffer&&*currlen==*maxlen) {
*maxlen+=1024;
if (*buffer==NULL) {
*buffer=OPENSSL_malloc(*maxlen);
if (*buffer==NULL) {
/* Panic! Can't really do anything sensible. Just return */return;
}
if (*currlen>0) {
assert(*sbuffer!=NULL);
memcpy(*buffer, *sbuffer, *currlen);
}
*sbuffer=NULL;
} else {
*buffer=OPENSSL_realloc(*buffer, *maxlen);
if (!*buffer) {
/* Panic! Can't really do anything sensible. Just return */return;
}
}
}
if (*currlen<*maxlen) {
if (*sbuffer)
(*sbuffer)[(*currlen)++] = (char)c;
else
(*buffer)[(*currlen)++] = (char)c;
}
return;
}
这个函数可能会出现如下问题
1. 没有错误处理,导致错误
2. size_t溢出,导致错误
而且根据这里
if (*currlen<*maxlen) {
if (*sbuffer)
(*sbuffer)[(*currlen)++] = (char)c;
else
(*buffer)[(*currlen)++] = (char)c;
}
可以基本推测,该函数肯定是会被循环调用的。
考虑这么一种情况在
条件
结果
第一次buffer && *currlen == *maxlen执行后
*sbuffer=NULL
第二次buffer && *currlen == *maxlen执行后
如果relloc分配失败,*buffer=NULL
再次循环来到这里
if (*currlen<*maxlen) {
if (*sbuffer)
(*sbuffer)[(*currlen)++] = (char)c;
else
(*buffer)[(*currlen)++] = (char)c;
}
openssl CVE-2016-0799分析
环境准备
漏洞分析
利用
github直接搜索可以看到存在解决这个问题的
commit,进入commit做了很完善的说明,那就根据commit说明来具体看一下为什么会出现这个问题,切换到其父commit首先出现问题的最主要的函数是这个
这个函数可能会出现如下问题
而且根据这里
可以基本推测,该函数肯定是会被循环调用的。
考虑这么一种情况在
buffer && *currlen == *maxlen执行后*sbuffer=NULLbuffer && *currlen == *maxlen执行后relloc分配失败,*buffer=NULL再次循环来到这里
*sbuffer==NULL,进入*buffer==NULL,而currlen不可控,可直接导致内存被改写总结
参考
OpenSSL CVE-2016-0799: heap corruption via BIO_printf
The text was updated successfully, but these errors were encountered: