Harden property put_str() helper corner case#28624
Closed
vdukhovni wants to merge 2 commits intoopenssl:masterfrom
Closed
Harden property put_str() helper corner case#28624vdukhovni wants to merge 2 commits intoopenssl:masterfrom
vdukhovni wants to merge 2 commits intoopenssl:masterfrom
Conversation
The put_str() helper of the internal ossl_property_list_to_string()
function failed to correctly check the remaining buffer length in a
corner case in which a property name or string value needs quoting,
and exactly one byte of unused space remained in the output buffer.
The only potentially affected calling code is conditionally compiled
(disabled by default) provider "QUERY" tracing that is executed only
when also requested at runtime. An initial fragment of the property
list encoding would need to use up exactly 511 bytes, leaving just 1
byte for the next string which requires quoting. Bug reported by
Aniruddhan Murali (@ashamedbit)
Noble Saji Mathews (@NobleMathews)
both from the University of Waterloo.
vdukhovni
force-pushed
the
harden-propery-put_str
branch
from
c443827 to
f1c3584
Compare
github-actions
bot
added
the
severity: fips change
vdukhovni
added
triaged: bug
paulidale
previously approved these changes
Sep 21, 2025
paulidale
added
approval: review pending
slontis
requested changes
Sep 22, 2025
Member
There was a problem hiding this comment.
Please add a test to property_test.c
The following segfaults for me before the change..
static int test_property_list_to_string_bounds(void)
{
OSSL_PROPERTY_LIST *pl = NULL;
char buf[16];
int ret = 0;
if (!TEST_ptr(pl = ossl_parse_query(NULL, "provider='$1'", 1)))
goto err;
if (!TEST_size_t_eq(ossl_property_list_to_string(NULL, pl, buf, 10), 14))
goto err;
ret = 1;
err:
ossl_property_free(pl);
return ret;
}
.
.
ADD_TEST(test_property_list_to_string_bounds);
Author
Done. Thanks for writing the test. :-) |
paulidale
approved these changes
Sep 22, 2025
tom-cosgrove-arm
added
approval: done
openssl-machine
pushed a commit
that referenced
this pull request
Sep 23, 2025
The put_str() helper of the internal ossl_property_list_to_string()
function failed to correctly check the remaining buffer length in a
corner case in which a property name or string value needs quoting,
and exactly one byte of unused space remained in the output buffer.
The only potentially affected calling code is conditionally compiled
(disabled by default) provider "QUERY" tracing that is executed only
when also requested at runtime. An initial fragment of the property
list encoding would need to use up exactly 511 bytes, leaving just 1
byte for the next string which requires quoting. Bug reported by
Aniruddhan Murali (@ashamedbit)
Noble Saji Mathews (@NobleMathews)
both from the University of Waterloo.
Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Tom Cosgrove <[email protected]>
Reviewed-by: Shane Lontis <[email protected]>
(Merged from #28624)
(cherry picked from commit c6e44fa)
openssl-machine
pushed a commit
that referenced
this pull request
Sep 23, 2025
Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tom Cosgrove <[email protected]> Reviewed-by: Shane Lontis <[email protected]> (Merged from #28624) (cherry picked from commit 38e8981)
openssl-machine
pushed a commit
that referenced
this pull request
Sep 23, 2025
The put_str() helper of the internal ossl_property_list_to_string()
function failed to correctly check the remaining buffer length in a
corner case in which a property name or string value needs quoting,
and exactly one byte of unused space remained in the output buffer.
The only potentially affected calling code is conditionally compiled
(disabled by default) provider "QUERY" tracing that is executed only
when also requested at runtime. An initial fragment of the property
list encoding would need to use up exactly 511 bytes, leaving just 1
byte for the next string which requires quoting. Bug reported by
Aniruddhan Murali (@ashamedbit)
Noble Saji Mathews (@NobleMathews)
both from the University of Waterloo.
Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Tom Cosgrove <[email protected]>
Reviewed-by: Shane Lontis <[email protected]>
(Merged from #28624)
(cherry picked from commit c6e44fa)
openssl-machine
pushed a commit
that referenced
this pull request
Sep 23, 2025
Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tom Cosgrove <[email protected]> Reviewed-by: Shane Lontis <[email protected]> (Merged from #28624) (cherry picked from commit 38e8981)
openssl-machine
pushed a commit
that referenced
this pull request
Sep 23, 2025
The put_str() helper of the internal ossl_property_list_to_string()
function failed to correctly check the remaining buffer length in a
corner case in which a property name or string value needs quoting,
and exactly one byte of unused space remained in the output buffer.
The only potentially affected calling code is conditionally compiled
(disabled by default) provider "QUERY" tracing that is executed only
when also requested at runtime. An initial fragment of the property
list encoding would need to use up exactly 511 bytes, leaving just 1
byte for the next string which requires quoting. Bug reported by
Aniruddhan Murali (@ashamedbit)
Noble Saji Mathews (@NobleMathews)
both from the University of Waterloo.
Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Tom Cosgrove <[email protected]>
Reviewed-by: Shane Lontis <[email protected]>
(Merged from #28624)
openssl-machine
pushed a commit
that referenced
this pull request
Sep 23, 2025
Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tom Cosgrove <[email protected]> Reviewed-by: Shane Lontis <[email protected]> (Merged from #28624)
openssl-machine
pushed a commit
that referenced
this pull request
Sep 23, 2025
The put_str() helper of the internal ossl_property_list_to_string()
function failed to correctly check the remaining buffer length in a
corner case in which a property name or string value needs quoting,
and exactly one byte of unused space remained in the output buffer.
The only potentially affected calling code is conditionally compiled
(disabled by default) provider "QUERY" tracing that is executed only
when also requested at runtime. An initial fragment of the property
list encoding would need to use up exactly 511 bytes, leaving just 1
byte for the next string which requires quoting. Bug reported by
Aniruddhan Murali (@ashamedbit)
Noble Saji Mathews (@NobleMathews)
both from the University of Waterloo.
Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Tom Cosgrove <[email protected]>
Reviewed-by: Shane Lontis <[email protected]>
(Merged from #28624)
(cherry picked from commit c6e44fa)
openssl-machine
pushed a commit
that referenced
this pull request
Sep 23, 2025
Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tom Cosgrove <[email protected]> Reviewed-by: Shane Lontis <[email protected]> (Merged from #28624) (cherry picked from commit 38e8981)
Member
|
Merged to all the active branches. Thank you. |
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.5.4 CHANGES.md includes the following: * openssl#28098 * openssl#28415 * openssl#28504 * openssl#28535 * openssl#28569 * openssl#28573 * openssl#28576 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 * openssl#28676 3.5.4 NEWS.md includes the following: * openssl#28603 Updated the changes and news in the previous branches. Removed the attribution in NEWS.md incorrectly introduced in e551da6 "Update news and changes for the 3.5.3 release". Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.4.3 CHANGES.md includes the following: * openssl#28098 * openssl#28415 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 3.4.3 NEWS.md do not have any updates. Updated the changes and news in the previous branches. Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.5.4 CHANGES.md includes the following: * openssl#28098 * openssl#28415 * openssl#28504 * openssl#28535 * openssl#28569 * openssl#28573 * openssl#28576 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 * openssl#28676 3.5.4 NEWS.md includes the following: * openssl#28603 Updated the changes and news in the previous branches. Removed the attribution in NEWS.md incorrectly introduced in e551da6 "Update news and changes for the 3.5.3 release". Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.3.5 CHANGES.md includes the following: * openssl#28098 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 3.3.5 NEWS.md do not have any updates. Updated the changes and news in the previous branches. Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.2.6 CHANGES.md includes the following: * openssl#28098 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 3.2.6 NEWS.md do not have any updates. Updated the changes and news in the previous branches. Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.0.18 CHANGES.md includes the following: * openssl#28098 * openssl#28198 * openssl#28398 * openssl#28411 * openssl#28449 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28624 Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.2.6 CHANGES.md includes the following: * openssl#28098 * openssl#28198 * openssl#28398 * openssl#28411 * openssl#28449 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 3.2.6 NEWS.md do not have any updates. Updated the changes and news in the previous branches. Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.3.5 CHANGES.md includes the following: * openssl#28098 * openssl#28198 * openssl#28398 * openssl#28411 * openssl#28449 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 3.3.5 NEWS.md do not have any updates. Updated the changes and news in the previous branches. Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.4.3 CHANGES.md includes the following: * openssl#28098 * openssl#28198 * openssl#28398 * openssl#28411 * openssl#28415 * openssl#28449 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 3.4.3 NEWS.md do not have any updates. Updated the changes and news in the previous branches. Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.5.4 CHANGES.md includes the following: * openssl#28098 * openssl#28415 * openssl#28504 * openssl#28535 * openssl#28569 * openssl#28573 * openssl#28576 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 * openssl#28676 3.5.4 NEWS.md includes the following: * openssl#28603 Updated the changes and news in the previous branches. Removed the attribution in NEWS.md incorrectly introduced in e551da6 "Update news and changes for the 3.5.3 release". Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.5.4 CHANGES.md includes the following: * openssl#28098 * openssl#28415 * openssl#28504 * openssl#28535 * openssl#28569 * openssl#28573 * openssl#28576 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 * openssl#28676 3.5.4 NEWS.md includes the following: * openssl#28603 Updated the changes and news in the previous branches. Removed the attribution in NEWS.md incorrectly introduced in e551da6 "Update news and changes for the 3.5.3 release". Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.3.5 CHANGES.md includes the following: * openssl#28098 * openssl#28198 * openssl#28398 * openssl#28411 * openssl#28449 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 3.3.5 NEWS.md do not have any updates. Updated the changes and news in the previous branches. Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.4.3 CHANGES.md includes the following: * openssl#28098 * openssl#28198 * openssl#28398 * openssl#28411 * openssl#28415 * openssl#28449 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 3.4.3 NEWS.md do not have any updates. Updated the changes and news in the previous branches. Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.2.6 CHANGES.md includes the following: * openssl#28098 * openssl#28198 * openssl#28398 * openssl#28411 * openssl#28449 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 3.2.6 NEWS.md do not have any updates. Updated the changes and news in the previous branches. Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.0.18 CHANGES.md includes the following: * openssl#28098 * openssl#28198 * openssl#28398 * openssl#28411 * openssl#28449 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28624 Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The put_str() helper of the internal ossl_property_list_to_string() function failed to correctly check the remaining buffer length in a corner case in which a property name or string value needs quoting, and exactly one byte of unused space remained in the output buffer.
The only potentially affected calling code is conditionally compiled (disabled by default) provider "QUERY" tracing that is executed only when also requested at runtime. An initial fragment of the property list encoding would need to use up exactly 511 bytes, leaving just 1 byte for the next string which requires quoting. Bug reported by
both from the University of Waterloo.
Checklist
Bug introduced in #22182
Cc: @ashamedbit, @NobleMathews