From: Matt Caswell <matt@openssl.foundation>
Date: Wed, 11 Mar 2026 15:06:32 +0000 (+0000)
Subject: Fix a one byte buffer overflow in s_client
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=440ac348bf7ad86aaed3eb6a18c7ce587dccb350;p=thirdparty%2Fopenssl.git

Fix a one byte buffer overflow in s_client

The buffer used to process user commands when using advanced mode ("-adv")
can overflow the buffer by one byte if the the read buffer is exactly
BUFSIZZ bytes in length (16k). When processing the buffer we add a NUL
terminator to the buffer, so if the buffer is already full then we
overwrite by one byte when we add the NUL terminator.

This does not represent a security issue because this is entirely local
and would be "self-inflicted", i.e. not under attacker control.

This issue was reported to use by Igor Morgenstern from AISLE.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 12 17:56:37 2026
(Merged from https://github.com/openssl/openssl/pull/30376)
---

diff --git a/apps/s_client.c b/apps/s_client.c
index ad4980add0e..b48b296966d 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -4199,7 +4199,11 @@ static void user_data_init(struct user_data_st *user_data, SSL *con, char *buf,
 
 static int user_data_add(struct user_data_st *user_data, size_t i)
 {
-    if (user_data->buflen != 0 || i > user_data->bufmax)
+    /*
+     * We must allow one byte for a NUL terminator so i must be less than
+     * bufmax
+     */
+    if (user_data->buflen != 0 || i >= user_data->bufmax)
         return 0;
 
     user_data->buflen = i;