win32_joiner() in crypto/dso/dso_win32.c writes 1 byte past the allocation when the directory has no trailing separator and file is NULL · openssl/openssl#31260

(2 留言) (0 反應) (0 負責人)C (30,157 star) (11,262 fork)batch import

branch: 3.0branch: 3.4branch: 3.5branch: 3.6branch: 4.0good first issuetriaged: bug

描述

In win32_joiner() (crypto/dso/dso_win32.c), the directory trailing-separator is budgeted into len only when file_split->file is non-NULL but is emitted unconditionally by the directory loop; when dir is set without a trailing separator and file == NULL, the final result[offset] = '\0' writes one byte past OPENSSL_malloc(len + 1).

貢獻者指南

技術棧: c
領域: securitybackend
議題類型: bug
難度: 3
預計時間: 1-3 hours
活動狀態: fresh
清晰度: clear
前置要求: C programmingknowledge of memory management
新手友善度: 35
研究方向: The issue is in crypto/dso/dso win32.c, function win32 joiner(). The bug occurs when directory has no trailing separator and file is NULL, causing a buffer overflow. To fix, ensure that the null terminator is only written within allocated bounds, or adjust allocation to account for the separator when dir lacks it. The fix should check if file split >file is NULL when adding the separator, and only allocate extra byte if needed.