Fix off-by-one buffer overflow in SSL_get_shared_ciphers().

From OpenSSL_0_9_8-stable branch. ok djm@
author: moritz <> 2007-09-27 16:18:12 +0000
committer: moritz <> 2007-09-27 16:18:12 +0000
commit: fcb4c334c49f39f56926518b19cbf63e342767d9 (patch)
tree: d58b5bdf66218124ce56d6432307dcc72c66f280
parent: 2ae560938f428b058c0acdfad659933c33942408 (diff)
download: openbsd-fcb4c334c49f39f56926518b19cbf63e342767d9.tar.gz
openbsd-fcb4c334c49f39f56926518b19cbf63e342767d9.tar.bz2
openbsd-fcb4c334c49f39f56926518b19cbf63e342767d9.zip
2 files changed, 22 insertions, 22 deletions
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index 4e8f302a5e..e9fda28f63 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -1169,7 +1169,6 @@ int SSL_set_cipher_list(SSL *s,const char *str)
 char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
        {
        char *p;
-        const char *cp;
        STACK_OF(SSL_CIPHER) *sk;
        SSL_CIPHER *c;
        int i;
@@ -1182,20 +1181,21 @@ char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
        sk=s->session->ciphers;
        for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
                {
-                /* Decrement for either the ':' or a '\0' */
+                int n;
-                len--;
                c=sk_SSL_CIPHER_value(sk,i);
-                for (cp=c->name; *cp; )
+                n=strlen(c->name);
+                if (n+1 > len)
                        {
-                        if (len-- <= 0)
+                        if (p != buf)
-                                {
+                                --p;
-                                *p='\0';
+                        *p='\0';
-                                return(buf);
+                        return buf;
-                                }
-                        else
-                                *(p++)= *(cp++);
                        }
+                strcpy(p,c->name);
+                p+=n;
                *(p++)=':';
+                len-=n+1;
                }
        p[-1]='\0';
        return(buf);
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 4e8f302a5e..e9fda28f63 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1169,7 +1169,6 @@ int SSL_set_cipher_list(SSL *s,const char *str)
 char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
        {
        char *p;
-        const char *cp;
        STACK_OF(SSL_CIPHER) *sk;
        SSL_CIPHER *c;
        int i;
@@ -1182,20 +1181,21 @@ char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
        sk=s->session->ciphers;
        for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
                {
-                /* Decrement for either the ':' or a '\0' */
+                int n;
-                len--;
                c=sk_SSL_CIPHER_value(sk,i);
-                for (cp=c->name; *cp; )
+                n=strlen(c->name);
+                if (n+1 > len)
                        {
-                        if (len-- <= 0)
+                        if (p != buf)
-                                {
+                                --p;
-                                *p='\0';
+                        *p='\0';
-                                return(buf);
+                        return buf;
-                                }
-                        else
-                                *(p++)= *(cp++);
                        }
+                strcpy(p,c->name);
+                p+=n;
                *(p++)=':';
+                len-=n+1;
                }
        p[-1]='\0';
        return(buf);
author	moritz <>	2007-09-27 16:18:12 +0000
committer	moritz <>	2007-09-27 16:18:12 +0000
commit	fcb4c334c49f39f56926518b19cbf63e342767d9 (patch)
tree	d58b5bdf66218124ce56d6432307dcc72c66f280
parent	2ae560938f428b058c0acdfad659933c33942408 (diff)
download	openbsd-fcb4c334c49f39f56926518b19cbf63e342767d9.tar.gz openbsd-fcb4c334c49f39f56926518b19cbf63e342767d9.tar.bz2 openbsd-fcb4c334c49f39f56926518b19cbf63e342767d9.zip

diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c index 4e8f302a5e..e9fda28f63 100644 --- a/src/lib/libssl/src/ssl/ssl_lib.c +++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -1169,7 +1169,6 @@ int SSL_set_cipher_list(SSL s,const char str)
1169	char SSL_get_shared_ciphers(const SSL s,char *buf,int len)	1169	char SSL_get_shared_ciphers(const SSL s,char *buf,int len)
1170	{	1170	{
1171	char *p;	1171	char *p;
1172	const char *cp;
1173	STACK_OF(SSL_CIPHER) *sk;	1172	STACK_OF(SSL_CIPHER) *sk;
1174	SSL_CIPHER *c;	1173	SSL_CIPHER *c;
1175	int i;	1174	int i;
@@ -1182,20 +1181,21 @@ char SSL_get_shared_ciphers(const SSL s,char *buf,int len)
1182	sk=s->session->ciphers;	1181	sk=s->session->ciphers;
1183	for (i=0; i<sk_SSL_CIPHER_num(sk); i++)	1182	for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
1184	{	1183	{
1185	/* Decrement for either the ':' or a '\0' */	1184	int n;
1186	len--;	1185
1187	c=sk_SSL_CIPHER_value(sk,i);	1186	c=sk_SSL_CIPHER_value(sk,i);
1188	for (cp=c->name; *cp; )	1187	n=strlen(c->name);
		1188	if (n+1 > len)
1189	{	1189	{
1190	if (len-- <= 0)	1190	if (p != buf)
1191	{	1191	--p;
1192	*p='\0';	1192	*p='\0';
1193	return(buf);	1193	return buf;
1194	}
1195	else
1196	(p++)= (cp++);
1197	}	1194	}
		1195	strcpy(p,c->name);
		1196	p+=n;
1198	*(p++)=':';	1197	*(p++)=':';
		1198	len-=n+1;
1199	}	1199	}
1200	p[-1]='\0';	1200	p[-1]='\0';
1201	return(buf);	1201	return(buf);


diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 4e8f302a5e..e9fda28f63 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c
@@ -1169,7 +1169,6 @@ int SSL_set_cipher_list(SSL s,const char str)
1169	char SSL_get_shared_ciphers(const SSL s,char *buf,int len)	1169	char SSL_get_shared_ciphers(const SSL s,char *buf,int len)
1170	{	1170	{
1171	char *p;	1171	char *p;
1172	const char *cp;
1173	STACK_OF(SSL_CIPHER) *sk;	1172	STACK_OF(SSL_CIPHER) *sk;
1174	SSL_CIPHER *c;	1173	SSL_CIPHER *c;
1175	int i;	1174	int i;
@@ -1182,20 +1181,21 @@ char SSL_get_shared_ciphers(const SSL s,char *buf,int len)
1182	sk=s->session->ciphers;	1181	sk=s->session->ciphers;
1183	for (i=0; i<sk_SSL_CIPHER_num(sk); i++)	1182	for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
1184	{	1183	{
1185	/* Decrement for either the ':' or a '\0' */	1184	int n;
1186	len--;	1185
1187	c=sk_SSL_CIPHER_value(sk,i);	1186	c=sk_SSL_CIPHER_value(sk,i);
1188	for (cp=c->name; *cp; )	1187	n=strlen(c->name);
		1188	if (n+1 > len)
1189	{	1189	{
1190	if (len-- <= 0)	1190	if (p != buf)
1191	{	1191	--p;
1192	*p='\0';	1192	*p='\0';
1193	return(buf);	1193	return buf;
1194	}
1195	else
1196	(p++)= (cp++);
1197	}	1194	}
		1195	strcpy(p,c->name);
		1196	p+=n;
1198	*(p++)=':';	1197	*(p++)=':';
		1198	len-=n+1;
1199	}	1199	}
1200	p[-1]='\0';	1200	p[-1]='\0';
1201	return(buf);	1201	return(buf);