[CDRIVER-3585] Wrong length allocated for output string of MultiByteToWideChar Created: 23/Mar/20  Updated: 28/Oct/23  Resolved: 24/Mar/20

Status: Closed
Project: C Driver
Component/s: tls
Affects Version/s: None
Fix Version/s: 1.17.0-beta, 1.17.0

Type: Bug Priority: Major - P3
Reporter: Kevin Albertson Assignee: Kevin Albertson
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to CDRIVER-3586 Test crl_file for all TLS implementat... Backlog

 Description   

MultiByteToWideChar documents:

Calling this function can easily cause a buffer overrun because the size of the input buffer indicated by lpMultiByteStr equals the number of bytes in the string, while the size of the output buffer indicated by lpWideCharStr equals the number of characters.

In mongoc_secure_channel_setup_crl it appears we have the same issue:

   str = (LPWSTR) bson_malloc0 (chars);
   MultiByteToWideChar (CP_ACP, 0, opt->crl_file, -1, str, chars);

This allocates chars bytes, but should be allocating chars number of wchar_t (2 bytes each).

This was discovered when manually testing the crl_file on Windows to document how OCSP interacts with the crl_file option.



 Comments   
Comment by Githook User [ 24/Mar/20 ]

Author:

{'name': 'Kevin Albertson', 'username': 'kevinAlbs', 'email': 'kevin.albertson@mongodb.com'}

Message: CDRIVER-3585 fix crl_file str conversion for schannel
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/359cf9b1789dba85e49ea9ef9e38d41df96bede2

Generated at Wed Feb 07 21:18:29 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.