vtls: fix potential ssl_buffer stack overflow

In Curl_multissl_version() it was possible to overflow the passed in buffer if the generated version string exceeded the size of the buffer. Fix by inverting the logic, and also make sure to not exceed the local buffer during the string generation. Closes #3863 Reported-by: nevv on HackerOne/curl Reviewed-by: Jay Satiro Reviewed-by: Daniel Stenberg
2024-08-13 17:03:50 -04:00 · 2019-05-13 20:27:50 +02:00 · 2019-05-13 20:27:50 +02:00 · b4bb920405
commit b4bb920405
parent ae3f838b9a
1 changed files with 5 additions and 4 deletions
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@ -1239,16 +1239,17 @@ static size_t Curl_multissl_version(char *buffer, size_t size)

  if(current != selected) {
    char *p = backends;
+    char *end = backends + sizeof(backends);
    int i;

    selected = current;

-    for(i = 0; available_backends[i]; i++) {
+    for(i = 0; available_backends[i] && p < (end - 4); i++) {
      if(i)
        *(p++) = ' ';
      if(selected != available_backends[i])
        *(p++) = '(';
-      p += available_backends[i]->version(p, backends + sizeof(backends) - p);
+      p += available_backends[i]->version(p, end - p - 2);
      if(selected != available_backends[i])
        *(p++) = ')';
    }
@ -1256,14 +1257,14 @@ static size_t Curl_multissl_version(char *buffer, size_t size)
    total = p - backends;
  }

-  if(size < total)
+  if(size > total)
    memcpy(buffer, backends, total + 1);
  else {
    memcpy(buffer, backends, size - 1);
    buffer[size - 1] = '\0';
  }

-  return total;
+  return CURLMIN(size - 1, total);
 }

 static int multissl_init(const struct Curl_ssl *backend)