win32_joiner() in crypto/dso/dso_win32.c writes 1 byte past the allocation when the directory has no trailing separator and file is NULL · openssl/openssl#31260

(2 comments) (0 reactions) (0 assignees)C (30,157 stars) (11,262 forks)batch import

branch: 3.0branch: 3.4branch: 3.5branch: 3.6branch: 4.0good first issuetriaged: bug

説明

In win32_joiner() (crypto/dso/dso_win32.c), the directory trailing-separator is budgeted into len only when file_split->file is non-NULL but is emitted unconditionally by the directory loop; when dir is set without a trailing separator and file == NULL, the final result[offset] = '\0' writes one byte past OPENSSL_malloc(len + 1).

コントリビューターガイド

技術スタック: c
領域: securitybackend
Issue 種別: bug
難度: 3
推定時間: 1-3 hours
活動状況: fresh
明確さ: clear
前提条件: C programmingknowledge of memory management
初心者向け度: 35
調査方針: The issue is in crypto/dso/dso win32.c, function win32 joiner(). The bug occurs when directory has no trailing separator and file is NULL, causing a buffer overflow. To fix, ensure that the null terminator is only written within allocated bounds, or adjust allocation to account for the separator when dir lacks it. The fix should check if file split >file is NULL when adding the separator, and only allocate extra byte if needed.