diff options
| author | Valentin Bartenev <vbart@nginx.com> | 2016-10-18 20:46:06 +0300 |
|---|---|---|
| committer | Valentin Bartenev <vbart@nginx.com> | 2016-10-18 20:46:06 +0300 |
| commit | 841737915c97ae07f626c8199c24679151bebfcd (patch) | |
| tree | 9d874386904774bc44128631fb426b4e03363b62 /src | |
| parent | 66c23edf6308867572d5c4b8341e7a3fe7e97864 (diff) | |
| download | nginx-841737915c97ae07f626c8199c24679151bebfcd.tar.gz nginx-841737915c97ae07f626c8199c24679151bebfcd.zip | |
SSL: overcame possible buffer over-read in ngx_ssl_error().
It appeared that ERR_error_string_n() cannot handle zero buffer size well enough
and causes over-read.
The problem has also been fixed in OpenSSL:
https://git.openssl.org/?p=openssl.git;h=e5c1361580d8de79682958b04a5f0d262e680f8b
Diffstat (limited to 'src')
| -rw-r--r-- | src/event/ngx_event_openssl.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c index 68d02bfef..cddcefdcf 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -2137,7 +2137,9 @@ ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, char *fmt, ...) break; } - if (p >= last) { + /* ERR_error_string_n() requires at least one byte */ + + if (p >= last - 1) { goto next; } |