Fix possible memory over-read in apps/s_client.c

a buffer returned from BIO_gets is not checked for it's length before reading its contents. Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3630)
author: Rich Salz <rsalz@openssl.org> 2017-06-08 09:26:20 -0400
committer: Rich Salz <rsalz@openssl.org> 2017-06-08 09:26:20 -0400
commit: 3dce109905deb869ec395eeaafdcfae08292a04c (patch)
tree: b46ceb254d8ac3f9da7bb287e829540de40c3e8a
parent: 1c036c6443af3d0d912f074b0a2c4055c804115c (diff)
download: openssl-3dce109905deb869ec395eeaafdcfae08292a04c.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/apps/s_client.c b/apps/s_client.c
index 9ec7217376..84dad97a04 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -2172,6 +2172,15 @@ int s_client_main(int argc, char **argv)
              * HTTP/d.d ddd Reason text\r\n
              */
             mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
+            if (mbuf_len < (int)strlen("HTTP/1.0 200")) {
+                BIO_printf(bio_err,
+                           "%s: HTTP CONNECT failed, insufficient response "
+                           "from proxy (got %d octets)\n", prog, mbuf_len);
+                (void)BIO_flush(fbio);
+                BIO_pop(fbio);
+                BIO_free(fbio);
+                goto shut;
+            }
             if (mbuf[8] != ' ') {
                 BIO_printf(bio_err,
                            "%s: HTTP CONNECT failed, incorrect response "
author	Rich Salz <rsalz@openssl.org>	2017-06-08 09:26:20 -0400
committer	Rich Salz <rsalz@openssl.org>	2017-06-08 09:26:20 -0400
commit	3dce109905deb869ec395eeaafdcfae08292a04c (patch)
tree	b46ceb254d8ac3f9da7bb287e829540de40c3e8a
parent	1c036c6443af3d0d912f074b0a2c4055c804115c (diff)
download	openssl-3dce109905deb869ec395eeaafdcfae08292a04c.tar.gz