Harden property put_str() helper corner case

The put_str() helper of the internal ossl_property_list_to_string()
function failed to correctly check the remaining buffer length in a
corner case in which a property name or string value needs quoting,
and exactly one byte of unused space remained in the output buffer.

The only potentially affected calling code is conditionally compiled
(disabled by default) provider "QUERY" tracing that is executed only
when also requested at runtime.  An initial fragment of the property
list encoding would need to use up exactly 511 bytes, leaving just 1
byte for the next string which requires quoting.  Bug reported by

    Aniruddhan Murali (@ashamedbit)
    Noble Saji Mathews (@NobleMathews)

both from the University of Waterloo.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28624)

(cherry picked from commit c6e44fa347aabfc279ec2e50a02fd764c2e8e241)

diff --git a/crypto/property/property_parse.c b/crypto/property/property_parse.c
index 3a67754224f0652e3ce4d6b633c096b05b6a17f6..23963c89bc46aa8d1acf9ce6de1ac49259a0aaad 100644 (file)
--- a/crypto/property/property_parse.c
+++ b/crypto/property/property_parse.c
@@ -641,7 +641,7 @@ static void put_str(const char *str, char **buf, size_t *remain, size_t *needed)
         }
 
     quotes = quote != '\0';
-    if (*remain == 0) {
+    if (*remain <= (size_t)quotes) {
         *needed += 2 * quotes;
         return;
     }