Bug #116598 for Net-SSLeay: Incorrect use of sizeof in tlsext_ticket_key_cb

Sun Jul 31 07:47:13 2016 sinan [...] unur.com - Ticket created

CC:	bug-Net-SSLeay [...] rt.cpan.org
Subject:	Incorrect use of sizeof in tlsext_ticket_key_cb_invoke
Date:	Sun, 31 Jul 2016 07:47:04 -0400
To:	"A. Sinan Unur" <sinan [...] unur.com>
From:	"A. Sinan Unur" <sinan [...] unur.com>

I just built 1.76 where you moved from bzero to memset to fix https://rt.cpan.org/Public/Bug/Display.html?id=116596 However, upon closer inspection, I see the following in the function tlsext_ticket_key_cb_invoke in file SSLeay.c in https://cpan.metacpan.org/authors/id/M/MI/MIKEM/Net-SSLeay-1.76.tar.gz One of the parameters of this function is: unsigned char *key_name, On line 1324, you have: memset(key_name, 0, sizeof(key_name)); That is a serious bug. sizeof(pointer) will only ever return the size of the pointer, not the area of the memory it points to. See also the C FAQ: http://c-faq.com/aryptr/aryparmsize.html http://c-faq.com/malloc/sizeof.html -- Sinan

Sun Jul 31 08:16:35 2016 nanis [...] cpan.org - Correspondence added

Subject:	Re: [rt.cpan.org #116598] AutoReply: Incorrect use of sizeof in tlsext_ticket_key_cb_invoke
Date:	Sun, 31 Jul 2016 08:16:26 -0400
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	"A. Sinan Unur" <nanis [...] cpan.org>

Show quoted text

> https://rt.cpan.org/Ticket/Display.html?id=116598

Apologies for the confusion, I meant to refer to SSLeay.xs rather than the generated SSLeay.c file. SSLeay.xs:1315: memset(key_name, 0, sizeof(key_name)); -- Sinan

Sun Jul 31 08:16:35 2016 The RT System itself - Status changed from 'new' to 'open'

Sun Jul 31 16:29:18 2016 mikem [...] airspayce.com - Correspondence added

Subject:	Re: [rt.cpan.org #116598] Incorrect use of sizeof in tlsext_ticket_key_cb_invoke
Date:	Mon, 01 Aug 2016 06:29:02 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] airspayce.com>

Thanks for reporting this Fixed in new version 1.78 On Sunday, July 31, 2016 07:47:18 AM A. Sinan Unur via RT wrote: Show quoted text

> Sun Jul 31 07:47:13 2016: Request 116598 was acted upon. > Transaction: Ticket created by sinan@unur.com > Queue: Net-SSLeay > Subject: Incorrect use of sizeof in tlsext_ticket_key_cb_invoke > Broken in: (no value) > Severity: (no value) > Owner: Nobody > Requestors: sinan@unur.com > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=116598 > > > > I just built 1.76 where you moved from bzero to memset to fix > https://rt.cpan.org/Public/Bug/Display.html?id=116596 > > However, upon closer inspection, I see the following in the function > > tlsext_ticket_key_cb_invoke > > in file SSLeay.c in > https://cpan.metacpan.org/authors/id/M/MI/MIKEM/Net-SSLeay-1.76.tar.gz > > One of the parameters of this function is: > > unsigned char *key_name, > > On line 1324, you have: > > memset(key_name, 0, sizeof(key_name)); > > That is a serious bug. sizeof(pointer) will only ever return the size > of the pointer, not the area of the memory it points to. See also the > C FAQ: > > http://c-faq.com/aryptr/aryparmsize.html > http://c-faq.com/malloc/sizeof.html > > -- Sinan

-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474

Sun Jul 08 11:42:06 2018 chrisn [...] cpan.org - Status changed from 'open' to 'resolved'

Sun Jul 08 11:42:07 2018 chrisn [...] cpan.org - Given to MIKEM

Sun Jul 08 11:42:07 2018 chrisn [...] cpan.org - Fixed in 1.78 added

Bug #116598 for Net-SSLeay: Incorrect use of sizeof in tlsext_ticket_key_cb_invoke