Harden property put_str() helper corner case

The put_str() helper of the internal ossl_property_list_to_string()
function failed to correctly check the remaining buffer length in a
corner case in which a property name or string value needs quoting,
and exactly one byte of unused space remained in the output buffer.

The only potentially affected calling code is conditionally compiled
(disabled by default) provider "QUERY" tracing that is executed only
when also requested at runtime.  An initial fragment of the property
list encoding would need to use up exactly 511 bytes, leaving just 1
byte for the next string which requires quoting.  Bug reported by

    Aniruddhan Murali (@ashamedbit)
    Noble Saji Mathews (@NobleMathews)

both from the University of Waterloo.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28624)

(cherry picked from commit c6e44fa347aabfc279ec2e50a02fd764c2e8e241)

diff --git a/crypto/property/property_parse.c b/crypto/property/property_parse.c
index dbe766d39f7ebe97873c72d954ace9fba1d9347f..3eb927bb6a832c700d67ad77d695c4577870c564 100644 (file)
--- a/crypto/property/property_parse.c
+++ b/crypto/property/property_parse.c
@@ -642,7 +642,7 @@ static void put_str(const char *str, char **buf, size_t *remain, size_t *needed)
         }
 
     quotes = quote != '\0';
-    if (*remain == 0) {
+    if (*remain <= (size_t)quotes) {
         *needed += 2 * quotes;
         return;
     }