From: Matt Caswell <matt@openssl.org>
Date: Wed, 6 Dec 2023 11:51:01 +0000 (+0000)
Subject: Fix some invalid use of sscanf
X-Git-Tag: openssl-3.1.5~97
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f437288d5fa5bd95b1e5dd99db42bfbb735548dc;p=thirdparty%2Fopenssl.git

Fix some invalid use of sscanf

sscanf can return -1 on an empty input string. We need to appropriately
handle such an invalid case.

The instance in OSSL_HTTP_parse_url could cause an uninitialised read of
sizeof(unsigned int) bytes (typically 4). In many cases this uninit read
will immediately fail on the following check (i.e. if the read value
>65535).

If the top 2 bytes of a 4 byte unsigned int are zero then the value will
be <=65535 and the uninitialised value will be returned to the caller and
could represent arbitrary data on the application stack.

The OpenSSL security team has assessed this issue and consider it to be
a bug only (i.e. not a CVE).

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/22961)

(cherry picked from commit 322517d817ecb5c1a3a8b0e7e038fa146857b4d4)
---

diff --git a/apps/errstr.c b/apps/errstr.c
index 782705a78a3..21349d21cb4 100644
--- a/apps/errstr.c
+++ b/apps/errstr.c
@@ -62,7 +62,7 @@ int errstr_main(int argc, char **argv)
     /* All remaining arg are error code. */
     ret = 0;
     for (argv = opt_rest(); *argv != NULL; argv++) {
-        if (sscanf(*argv, "%lx", &l) == 0) {
+        if (sscanf(*argv, "%lx", &l) <= 0) {
             ret++;
         } else {
             ERR_error_string_n(l, buf, sizeof(buf));
diff --git a/crypto/http/http_lib.c b/crypto/http/http_lib.c
index 3164d01d9e4..cd0e25c85e4 100644
--- a/crypto/http/http_lib.c
+++ b/crypto/http/http_lib.c
@@ -118,7 +118,7 @@ int OSSL_parse_url(const char *url, char **pscheme, char **puser, char **phost,
         port = ++p;
     /* remaining port spec handling is also done for the default values */
     /* make sure a decimal port number is given */
-    if (!sscanf(port, "%u", &portnum) || portnum > 65535) {
+    if (sscanf(port, "%u", &portnum) <= 0 || portnum > 65535) {
         ERR_raise_data(ERR_LIB_HTTP, HTTP_R_INVALID_PORT_NUMBER, "%s", port);
         goto err;
     }