diff options
| author | Benny Baumann <BenBE@geshi.org> | 2020-06-24 22:56:58 +0200 |
|---|---|---|
| committer | Pauli <pauli@openssl.org> | 2022-05-23 10:07:09 +1000 |
| commit | aac6ae3774f341412bc45583ef9358df5b76a008 (patch) | |
| tree | 1777d0bbb2c8544c8f041e6ca532c56f9ec41c49 | |
| parent | 0d1a0ed63d1b4faa3711a69a19f7029947524cfa (diff) | |
| download | openssl-new-aac6ae3774f341412bc45583ef9358df5b76a008.tar.gz | |
Avoid unchecked string concatenation
To avoid the issue of overflowing the buffer start while
building up the help string prefix this rewrite of the
string building logic does multiple smaller writes to
opt_printf_stderr. While this is slower it completely
avoids the buffer overflow issue and does not place
any (unchecked) length constraints on the name of passed
options. Instead such long options are gracefully
wrapped onto the next line.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12265)
| -rw-r--r-- | apps/lib/opt.c | 30 |
1 files changed, 13 insertions, 17 deletions
diff --git a/apps/lib/opt.c b/apps/lib/opt.c index ce81408e38..df9152d77b 100644 --- a/apps/lib/opt.c +++ b/apps/lib/opt.c @@ -1109,7 +1109,7 @@ static void opt_print(const OPTIONS *o, int doingparams, int width) { const char* help; char start[80 + 1]; - char *p; + int linelen, printlen; /* Avoid OOB if width is beyond the buffer size of start */ if (width >= (int)sizeof(start)) @@ -1140,31 +1140,27 @@ static void opt_print(const OPTIONS *o, int doingparams, int width) } /* Build up the "-flag [param]" part. */ - p = start; - - *p++ = ' '; + linelen = 0; - if (!doingparams) - *p++ = '-'; + printlen = opt_printf_stderr(" %s", !doingparams ? "-" : ""); + linelen += (printlen > 0) ? printlen : MAX_OPT_HELP_WIDTH; - if (o->name[0]) - p += strlen(strcpy(p, o->name)); - else - *p++ = '*'; + printlen = opt_printf_stderr("%s" , o->name[0] ? o->name : "*"); + linelen += (printlen > 0) ? printlen : MAX_OPT_HELP_WIDTH; if (o->valtype != '-') { - *p++ = ' '; - p += strlen(strcpy(p, valtype2param(o))); + printlen = opt_printf_stderr(" %s" , valtype2param(o)); + linelen += (printlen > 0) ? printlen : MAX_OPT_HELP_WIDTH; } - *p = ' '; - - if ((int)(p - start) >= MAX_OPT_HELP_WIDTH) { - *p = '\0'; - opt_printf_stderr("%s\n", start); + if (linelen >= MAX_OPT_HELP_WIDTH || linelen > width) { + opt_printf_stderr("%s", "\n"); memset(start, ' ', sizeof(start)); + linelen = 0; } + width -= linelen; + start[width] = '\0'; opt_printf_stderr("%s %s\n", start, help); } |