I am not 100% sure this is a real bug, hence mailing openssl-users
instead of rt@.
641 if (is_sslv3)
642 {
<snip>
647 unsigned overhang = header_length-md_block_size;
648 md_transform(md_state.c, header);
649 memcpy(first_block, header + md_block_size,
overhang);
My suspicion lies in line 649, where we're copying overhang number of bytes
from (header + md_block_size). I believe that copying from (header +
md_block_size) is out-of-bound access (overrun).
header is an array of 13 unsigned chars, and md_block_size == 64 (or 128 in some
cases). Hence (header + md_block_size) points outside of header[13]. Assuming
overhang > 0, by doing a memcpy(), we have a problem, no?
Thanks
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
