Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-3585

Wrong length allocated for output string of MultiByteToWideChar

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 1.17.0-beta, 1.17.0
    • Affects Version/s: None
    • Component/s: tls
    • Labels:
      None

      MultiByteToWideChar documents:

      Calling this function can easily cause a buffer overrun because the size of the input buffer indicated by lpMultiByteStr equals the number of bytes in the string, while the size of the output buffer indicated by lpWideCharStr equals the number of characters.

      In mongoc_secure_channel_setup_crl it appears we have the same issue:

         str = (LPWSTR) bson_malloc0 (chars);
   MultiByteToWideChar (CP_ACP, 0, opt->crl_file, -1, str, chars);

      This allocates chars bytes, but should be allocating chars number of wchar_t (2 bytes each).

      This was discovered when manually testing the crl_file on Windows to document how OCSP interacts with the crl_file option.

            Assignee:
            kevin.albertson@mongodb.com Kevin Albertson
            Reporter:
            kevin.albertson@mongodb.com Kevin Albertson
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: