From abaf99e1f47def624ac0df9991c123c662192c54 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 6 Dec 2023 11:51:01 +0000 Subject: [PATCH] Fix some invalid use of sscanf sscanf can return -1 on an empty input string. We need to appropriately handle such an invalid case. The instance in OSSL_HTTP_parse_url could cause an uninitialised read of sizeof(unsigned int) bytes (typically 4). In many cases this uninit read will immediately fail on the following check (i.e. if the read value >65535). If the top 2 bytes of a 4 byte unsigned int are zero then the value will be <=65535 and the uninitiased value will be returned to the caller and could represent arbitrary data on the application stack. The OpenSSL security team has assessed this issue and consider it to be a bug only (i.e. not a CVE). --- apps/errstr.c | 2 +- crypto/http/http_lib.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/errstr.c b/apps/errstr.c index 782705a78a33d2..21349d21cb4207 100644 --- a/apps/errstr.c +++ b/apps/errstr.c @@ -62,7 +62,7 @@ int errstr_main(int argc, char **argv) /* All remaining arg are error code. */ ret = 0; for (argv = opt_rest(); *argv != NULL; argv++) { - if (sscanf(*argv, "%lx", &l) == 0) { + if (sscanf(*argv, "%lx", &l) <= 0) { ret++; } else { ERR_error_string_n(l, buf, sizeof(buf)); diff --git a/crypto/http/http_lib.c b/crypto/http/http_lib.c index 3164d01d9e48fe..cd0e25c85e4e1f 100644 --- a/crypto/http/http_lib.c +++ b/crypto/http/http_lib.c @@ -118,7 +118,7 @@ int OSSL_parse_url(const char *url, char **pscheme, char **puser, char **phost, port = ++p; /* remaining port spec handling is also done for the default values */ /* make sure a decimal port number is given */ - if (!sscanf(port, "%u", &portnum) || portnum > 65535) { + if (sscanf(port, "%u", &portnum) <= 0 || portnum > 65535) { ERR_raise_data(ERR_LIB_HTTP, HTTP_R_INVALID_PORT_NUMBER, "%s", port); goto err; }