[nginx] SSL: overcame possible buffer over-read in ngx_ssl_error().

Valentin Bartenev vbart at nginx.com
Tue Oct 18 17:47:06 UTC 2016


details:   http://hg.nginx.org/nginx/rev/8081e1f3ab8b
branches:  
changeset: 6775:8081e1f3ab8b
user:      Valentin Bartenev <vbart at nginx.com>
date:      Tue Oct 18 20:46:06 2016 +0300
description:
SSL: overcame possible buffer over-read in ngx_ssl_error().

It appeared that ERR_error_string_n() cannot handle zero buffer size well enough
and causes over-read.

The problem has also been fixed in OpenSSL:
https://git.openssl.org/?p=openssl.git;h=e5c1361580d8de79682958b04a5f0d262e680f8b

diffstat:

 src/event/ngx_event_openssl.c |  4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diffs (14 lines):

diff -r bcb107bb89cd -r 8081e1f3ab8b src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Sat Oct 08 18:05:00 2016 +1100
+++ b/src/event/ngx_event_openssl.c	Tue Oct 18 20:46:06 2016 +0300
@@ -2137,7 +2137,9 @@ ngx_ssl_error(ngx_uint_t level, ngx_log_
             break;
         }
 
-        if (p >= last) {
+        /* ERR_error_string_n() requires at least one byte */
+
+        if (p >= last - 1) {
             goto next;
         }
 



More information about the nginx-devel mailing list