Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-3585

Wrong length allocated for output string of MultiByteToWideChar

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.17.0-beta, 1.17.0
    • Component/s: tls
    • Labels:
      None

      Description

      MultiByteToWideChar documents:

      Calling this function can easily cause a buffer overrun because the size of the input buffer indicated by lpMultiByteStr equals the number of bytes in the string, while the size of the output buffer indicated by lpWideCharStr equals the number of characters.

      In mongoc_secure_channel_setup_crl it appears we have the same issue:

         str = (LPWSTR) bson_malloc0 (chars);
         MultiByteToWideChar (CP_ACP, 0, opt->crl_file, -1, str, chars);
      

      This allocates chars bytes, but should be allocating chars number of wchar_t (2 bytes each).

      This was discovered when manually testing the crl_file on Windows to document how OCSP interacts with the crl_file option.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              kevin.albertson Kevin Albertson
              Reporter:
              kevin.albertson Kevin Albertson
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: