Commit c56d37defe for openssl.org

commit c56d37defe3cf84e52f5e6bb5a90679c17cae96f
Author: Matt Caswell <matt@openssl.foundation>
Date:   Wed Apr 8 16:36:42 2026 +0100

    Fix off-by-one s_client overflows

    There are one byte buffer overflows possible in s_client's handling
    of STARTTLS in various protocols. If a server's response fills the entire
    buffer (16k) then we attempt to add a NUL terminator one byte off the end
    of the buffer.

    This was reported by Igor Morgenstern from AISLE to openssl-security and
    assessed by the security team as "bug or hardening only".

    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
    MergeDate: Sat Apr 11 16:16:24 2026
    (Merged from https://github.com/openssl/openssl/pull/30731)

diff --git a/apps/s_client.c b/apps/s_client.c
index 9acdabf3f6..3aaf19d03b 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -2720,7 +2720,7 @@ re_start:
                          "xmlns='jabber:%s' to='%s' version='1.0'>",
             starttls_proto == PROTO_XMPP ? "client" : "server",
             protohost ? protohost : host);
-        seen = BIO_read(sbio, mbuf, BUFSIZZ);
+        seen = BIO_read(sbio, mbuf, BUFSIZZ - 1);
         if (seen < 0) {
             BIO_printf(bio_err, "BIO_read failed\n");
             goto end;
@@ -2729,7 +2729,7 @@ re_start:
         while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")
             && !strstr(mbuf,
                 "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\"")) {
-            seen = BIO_read(sbio, mbuf, BUFSIZZ);
+            seen = BIO_read(sbio, mbuf, BUFSIZZ - 1);

             if (seen <= 0)
                 goto shut;
@@ -2738,7 +2738,7 @@ re_start:
         }
         BIO_puts(sbio,
             "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
-        seen = BIO_read(sbio, sbuf, BUFSIZZ);
+        seen = BIO_read(sbio, sbuf, BUFSIZZ - 1);
         if (seen < 0) {
             BIO_puts(bio_err, "BIO_read failed\n");
             goto shut;
@@ -2963,7 +2963,7 @@ re_start:
                 "Didn't find STARTTLS in server response,"
                 " trying anyway...\n");
         BIO_puts(sbio, "STARTTLS\r\n");
-        mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ);
+        mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ - 1);
         if (mbuf_len < 0) {
             BIO_puts(bio_err, "BIO_read failed\n");
             goto end;
@@ -3004,7 +3004,7 @@ re_start:
                 "Didn't find STARTTLS in server response,"
                 " trying anyway...\n");
         BIO_puts(sbio, "STARTTLS\r\n");
-        mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ);
+        mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ - 1);
         if (mbuf_len < 0) {
             BIO_puts(bio_err, "BIO_read failed\n");
             goto end;