diff options
author | henning <> | 2007-10-11 11:27:31 +0000 |
---|---|---|
committer | henning <> | 2007-10-11 11:27:31 +0000 |
commit | 18cab50e04f2dbbae945d01219e070c479b56308 (patch) | |
tree | b2a87d678491cfd251dbdd0ff023ba847117e707 | |
parent | 577a309fd6cdf905070eed969779ef0ef102fe90 (diff) | |
download | openbsd-OPENBSD_4_1.tar.gz openbsd-OPENBSD_4_1.tar.bz2 openbsd-OPENBSD_4_1.zip |
MFC, fix by moritz:OPENBSD_4_1
The SSL_get_shared_ciphers() function contains an off-by-one overflow.
-rw-r--r-- | src/lib/libssl/src/ssl/ssl_lib.c | 27 |
1 files changed, 12 insertions, 15 deletions
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c index 4e8f302a5e..0f4b7a475b 100644 --- a/src/lib/libssl/src/ssl/ssl_lib.c +++ b/src/lib/libssl/src/ssl/ssl_lib.c | |||
@@ -1168,36 +1168,33 @@ int SSL_set_cipher_list(SSL *s,const char *str) | |||
1168 | /* works well for SSLv2, not so good for SSLv3 */ | 1168 | /* works well for SSLv2, not so good for SSLv3 */ |
1169 | char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len) | 1169 | char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len) |
1170 | { | 1170 | { |
1171 | char *p; | 1171 | char *end; |
1172 | const char *cp; | ||
1173 | STACK_OF(SSL_CIPHER) *sk; | 1172 | STACK_OF(SSL_CIPHER) *sk; |
1174 | SSL_CIPHER *c; | 1173 | SSL_CIPHER *c; |
1174 | size_t curlen = 0; | ||
1175 | int i; | 1175 | int i; |
1176 | 1176 | ||
1177 | if ((s->session == NULL) || (s->session->ciphers == NULL) || | 1177 | if ((s->session == NULL) || (s->session->ciphers == NULL) || |
1178 | (len < 2)) | 1178 | (len < 2)) |
1179 | return(NULL); | 1179 | return(NULL); |
1180 | 1180 | ||
1181 | p=buf; | ||
1182 | sk=s->session->ciphers; | 1181 | sk=s->session->ciphers; |
1182 | buf[0] = '\0'; | ||
1183 | for (i=0; i<sk_SSL_CIPHER_num(sk); i++) | 1183 | for (i=0; i<sk_SSL_CIPHER_num(sk); i++) |
1184 | { | 1184 | { |
1185 | /* Decrement for either the ':' or a '\0' */ | ||
1186 | len--; | ||
1187 | c=sk_SSL_CIPHER_value(sk,i); | 1185 | c=sk_SSL_CIPHER_value(sk,i); |
1188 | for (cp=c->name; *cp; ) | 1186 | end = buf + curlen; |
1187 | if (strlcat(buf, c->name, len) >= len || | ||
1188 | (curlen = strlcat(buf, ":", len)) >= len) | ||
1189 | { | 1189 | { |
1190 | if (len-- <= 0) | 1190 | /* remove truncated cipher from list */ |
1191 | { | 1191 | *end = '\0'; |
1192 | *p='\0'; | 1192 | break; |
1193 | return(buf); | ||
1194 | } | ||
1195 | else | ||
1196 | *(p++)= *(cp++); | ||
1197 | } | 1193 | } |
1198 | *(p++)=':'; | ||
1199 | } | 1194 | } |
1200 | p[-1]='\0'; | 1195 | /* remove trailing colon */ |
1196 | if ((end = strrchr(buf, ':')) != NULL) | ||
1197 | *end = '\0'; | ||
1201 | return(buf); | 1198 | return(buf); |
1202 | } | 1199 | } |
1203 | 1200 | ||