| Severity |
|
| Remote |
|
| Type |
| + |
Arbitrary code execution |
|
| Description |
| + |
The patch applied to address CVE-2016-6307 resulted in an issue where if a message larger than approx 16k is received then the underlying buffer to store the incoming message is reallocated and moved. Unfortunately a dangling pointer to the old location is left which results in an attempt to write to the previously freed location. This is likely to result in a crash, however it could potentially lead to execution of arbitrary code. |
| + |
This issue was reported to OpenSSL on 23rd September 2016 by Robert Święcki (Google Security Team), and was found using honggfuzz. |
|
| References |
| + |
https://www.openssl.org/news/secadv/20160926.txt |
|
| Notes |
| + |
This issue only affects OpenSSL 1.1.0a |
|