From: Richard Levitte Date: Tue, 17 Aug 2021 06:46:23 +0000 (+0200) Subject: EVP_PKEY_get_utf8_string_param(): ensure the string is NUL terminated X-Git-Tag: openssl-3.0.0~106 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4e92d5c79d501d09a978fd896c715da07902d8b7;p=thirdparty%2Fopenssl.git EVP_PKEY_get_utf8_string_param(): ensure the string is NUL terminated A check is added to fail this function if the string buffer isn't large enough to accomodate a terminating NUL byte. Reviewed-by: Viktor Dukhovni (Merged from https://github.com/openssl/openssl/pull/16334) --- diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index fa3a0258fab..2bc1237488d 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -2145,7 +2145,7 @@ err: int EVP_PKEY_get_octet_string_param(const EVP_PKEY *pkey, const char *key_name, unsigned char *buf, size_t max_buf_sz, - size_t *out_sz) + size_t *out_len) { OSSL_PARAM params[2]; int ret1 = 0, ret2 = 0; @@ -2157,14 +2157,14 @@ int EVP_PKEY_get_octet_string_param(const EVP_PKEY *pkey, const char *key_name, params[1] = OSSL_PARAM_construct_end(); if ((ret1 = EVP_PKEY_get_params(pkey, params))) ret2 = OSSL_PARAM_modified(params); - if (ret2 && out_sz != NULL) - *out_sz = params[0].return_size; + if (ret2 && out_len != NULL) + *out_len = params[0].return_size; return ret1 && ret2; } int EVP_PKEY_get_utf8_string_param(const EVP_PKEY *pkey, const char *key_name, char *str, size_t max_buf_sz, - size_t *out_sz) + size_t *out_len) { OSSL_PARAM params[2]; int ret1 = 0, ret2 = 0; @@ -2176,8 +2176,16 @@ int EVP_PKEY_get_utf8_string_param(const EVP_PKEY *pkey, const char *key_name, params[1] = OSSL_PARAM_construct_end(); if ((ret1 = EVP_PKEY_get_params(pkey, params))) ret2 = OSSL_PARAM_modified(params); - if (ret2 && out_sz != NULL) - *out_sz = params[0].return_size; + if (ret2 && out_len != NULL) + *out_len = params[0].return_size; + + if (ret2 && params[0].return_size == max_buf_sz) + /* There was no space for a NUL byte */ + return 0; + /* Add a terminating NUL byte for good measure */ + if (ret2 && str != NULL) + str[params[0].return_size] = '\0'; + return ret1 && ret2; } diff --git a/doc/man3/EVP_PKEY_gettable_params.pod b/doc/man3/EVP_PKEY_gettable_params.pod index 27240b0d3ba..4c0737d0503 100644 --- a/doc/man3/EVP_PKEY_gettable_params.pod +++ b/doc/man3/EVP_PKEY_gettable_params.pod @@ -47,14 +47,16 @@ EVP_PKEY_get_bn_param() retrieves a key I BIGNUM value I<**bn> associated with a name of I. If I<*bn> is NULL then the BIGNUM is allocated by the method. -EVP_PKEY_get_utf8_string_param() get a key I UTF8 string value int a buffer -I of maximum size I associated with a name of I. -If I is not NULL the I<*out_sz> is set to the length of the string +EVP_PKEY_get_utf8_string_param() get a key I UTF8 string value into a +buffer I of maximum size I associated with a name of +I. The maximum size must be large enough to accomodate the string +value including a terminating NUL byte, or this function will fail. +If I is not NULL, I<*out_len> is set to the length of the string not including the terminating NUL byte. -EVP_PKEY_get_octet_string_param() copy a I's octet string value into a buffer -I of maximum size I associated with a name of I. -I<*out_sz> is the returned size of the buffer if it is not NULL. +EVP_PKEY_get_octet_string_param() get a key I's octet string value into a +buffer I of maximum size I associated with a name of I. +If I is not NULL, I<*out_len> is set to the length of the contents. =head1 NOTES