From b4bb920405a6eb045f9e1fc3b5e05715bca2b0b4 Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Mon, 13 May 2019 20:27:50 +0200 Subject: vtls: fix potential ssl_buffer stack overflow In Curl_multissl_version() it was possible to overflow the passed in buffer if the generated version string exceeded the size of the buffer. Fix by inverting the logic, and also make sure to not exceed the local buffer during the string generation. Closes #3863 Reported-by: nevv on HackerOne/curl Reviewed-by: Jay Satiro Reviewed-by: Daniel Stenberg --- lib/vtls/vtls.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c index 8a405c05c..25391443f 100644 --- a/lib/vtls/vtls.c +++ b/lib/vtls/vtls.c @@ -1239,16 +1239,17 @@ static size_t Curl_multissl_version(char *buffer, size_t size) if(current != selected) { char *p = backends; + char *end = backends + sizeof(backends); int i; selected = current; - for(i = 0; available_backends[i]; i++) { + for(i = 0; available_backends[i] && p < (end - 4); i++) { if(i) *(p++) = ' '; if(selected != available_backends[i]) *(p++) = '('; - p += available_backends[i]->version(p, backends + sizeof(backends) - p); + p += available_backends[i]->version(p, end - p - 2); if(selected != available_backends[i]) *(p++) = ')'; } @@ -1256,14 +1257,14 @@ static size_t Curl_multissl_version(char *buffer, size_t size) total = p - backends; } - if(size < total) + if(size > total) memcpy(buffer, backends, total + 1); else { memcpy(buffer, backends, size - 1); buffer[size - 1] = '\0'; } - return total; + return CURLMIN(size - 1, total); } static int multissl_init(const struct Curl_ssl *backend) -- cgit v1.2.3