summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorhenning <>2007-10-11 11:27:31 +0000
committerhenning <>2007-10-11 11:27:31 +0000
commit18cab50e04f2dbbae945d01219e070c479b56308 (patch)
treeb2a87d678491cfd251dbdd0ff023ba847117e707
parent577a309fd6cdf905070eed969779ef0ef102fe90 (diff)
downloadopenbsd-OPENBSD_4_1.tar.gz
openbsd-OPENBSD_4_1.tar.bz2
openbsd-OPENBSD_4_1.zip
MFC, fix by moritz:OPENBSD_4_1
The SSL_get_shared_ciphers() function contains an off-by-one overflow.
-rw-r--r--src/lib/libssl/src/ssl/ssl_lib.c27
1 files changed, 12 insertions, 15 deletions
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index 4e8f302a5e..0f4b7a475b 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -1168,36 +1168,33 @@ int SSL_set_cipher_list(SSL *s,const char *str)
1168/* works well for SSLv2, not so good for SSLv3 */ 1168/* works well for SSLv2, not so good for SSLv3 */
1169char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len) 1169char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
1170 { 1170 {
1171 char *p; 1171 char *end;
1172 const char *cp;
1173 STACK_OF(SSL_CIPHER) *sk; 1172 STACK_OF(SSL_CIPHER) *sk;
1174 SSL_CIPHER *c; 1173 SSL_CIPHER *c;
1174 size_t curlen = 0;
1175 int i; 1175 int i;
1176 1176
1177 if ((s->session == NULL) || (s->session->ciphers == NULL) || 1177 if ((s->session == NULL) || (s->session->ciphers == NULL) ||
1178 (len < 2)) 1178 (len < 2))
1179 return(NULL); 1179 return(NULL);
1180 1180
1181 p=buf;
1182 sk=s->session->ciphers; 1181 sk=s->session->ciphers;
1182 buf[0] = '\0';
1183 for (i=0; i<sk_SSL_CIPHER_num(sk); i++) 1183 for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
1184 { 1184 {
1185 /* Decrement for either the ':' or a '\0' */
1186 len--;
1187 c=sk_SSL_CIPHER_value(sk,i); 1185 c=sk_SSL_CIPHER_value(sk,i);
1188 for (cp=c->name; *cp; ) 1186 end = buf + curlen;
1187 if (strlcat(buf, c->name, len) >= len ||
1188 (curlen = strlcat(buf, ":", len)) >= len)
1189 { 1189 {
1190 if (len-- <= 0) 1190 /* remove truncated cipher from list */
1191 { 1191 *end = '\0';
1192 *p='\0'; 1192 break;
1193 return(buf);
1194 }
1195 else
1196 *(p++)= *(cp++);
1197 } 1193 }
1198 *(p++)=':';
1199 } 1194 }
1200 p[-1]='\0'; 1195 /* remove trailing colon */
1196 if ((end = strrchr(buf, ':')) != NULL)
1197 *end = '\0';
1201 return(buf); 1198 return(buf);
1202 } 1199 }
1203 1200