From e0e276b50a1eb410a15100d6fe889fceaab16793 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 11 Mar 2026 15:06:32 +0000 Subject: [PATCH] Fix a one byte buffer overflow in s_client The buffer used to process user commands when using advanced mode ("-adv") can overflow the buffer by one byte if the the read buffer is exactly BUFSIZZ bytes in length (16k). When processing the buffer we add a NUL terminator to the buffer, so if the buffer is already full then we overwrite by one byte when we add the NUL terminator. This does not represent a security issue because this is entirely local and would be "self-inflicted", i.e. not under attacker control. This issue was reported to use by Igor Morgenstern from AISLE. Reviewed-by: Paul Dale Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz MergeDate: Thu Mar 12 17:56:37 2026 (Merged from https://github.com/openssl/openssl/pull/30376) (cherry picked from commit 440ac348bf7ad86aaed3eb6a18c7ce587dccb350) --- apps/s_client.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/apps/s_client.c b/apps/s_client.c index f1f0ce0f0f9..5c4003d061c 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -3923,7 +3923,11 @@ static void user_data_init(struct user_data_st *user_data, SSL *con, char *buf, static int user_data_add(struct user_data_st *user_data, size_t i) { - if (user_data->buflen != 0 || i > user_data->bufmax) + /* + * We must allow one byte for a NUL terminator so i must be less than + * bufmax + */ + if (user_data->buflen != 0 || i >= user_data->bufmax) return 0; user_data->buflen = i; -- 2.47.3