Commit 440ac348bf for openssl.org

commit 440ac348bf7ad86aaed3eb6a18c7ce587dccb350
Author: Matt Caswell <matt@openssl.foundation>
Date:   Wed Mar 11 15:06:32 2026 +0000

    Fix a one byte buffer overflow in s_client

    The buffer used to process user commands when using advanced mode ("-adv")
    can overflow the buffer by one byte if the the read buffer is exactly
    BUFSIZZ bytes in length (16k). When processing the buffer we add a NUL
    terminator to the buffer, so if the buffer is already full then we
    overwrite by one byte when we add the NUL terminator.

    This does not represent a security issue because this is entirely local
    and would be "self-inflicted", i.e. not under attacker control.

    This issue was reported to use by Igor Morgenstern from AISLE.

    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    Reviewed-by: Tim Hudson <tjh@openssl.org>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    MergeDate: Thu Mar 12 17:56:37 2026
    (Merged from https://github.com/openssl/openssl/pull/30376)

diff --git a/apps/s_client.c b/apps/s_client.c
index ad4980add0..b48b296966 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -4199,7 +4199,11 @@ static void user_data_init(struct user_data_st *user_data, SSL *con, char *buf,

 static int user_data_add(struct user_data_st *user_data, size_t i)
 {
-    if (user_data->buflen != 0 || i > user_data->bufmax)
+    /*
+     * We must allow one byte for a NUL terminator so i must be less than
+     * bufmax
+     */
+    if (user_data->buflen != 0 || i >= user_data->bufmax)
         return 0;

     user_data->buflen = i;