ssl_cipher_process_rulestr: don't read outside rule_str buffer

If rule_str ended in a "-", "l" was incremented one byte past the end of the buffer. This resulted in an out-of-bounds read when "l" is dereferenced at the end of the loop. OK tb@
author: millert <> 2022-09-07 21:34:22 +0000
committer: millert <> 2022-09-07 21:34:22 +0000
commit: 0ca9d5c5e38e348ed9be8a958a2821455bf161be (patch)
tree: 3f7ad628601f4309c49ea50fccdc75741d070ab4 /src
parent: f8e97ec40446a142eaf51b0319013f055c851321 (diff)
download: openbsd-0ca9d5c5e38e348ed9be8a958a2821455bf161be.tar.gz
openbsd-0ca9d5c5e38e348ed9be8a958a2821455bf161be.tar.bz2
openbsd-0ca9d5c5e38e348ed9be8a958a2821455bf161be.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index d304cfe6ec..106a9befdd 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.132 2022/09/04 07:55:32 tb Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.133 2022/09/07 21:34:22 millert Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1011,7 +1011,8 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p,
                                 */
                                SSLerrorx(SSL_R_INVALID_COMMAND);
                                retval = found = 0;
-                                l++;
+                                if (ch != '\0')
+                                        l++;
                                break;
                        }
author	millert <>	2022-09-07 21:34:22 +0000
committer	millert <>	2022-09-07 21:34:22 +0000
commit	0ca9d5c5e38e348ed9be8a958a2821455bf161be (patch)
tree	3f7ad628601f4309c49ea50fccdc75741d070ab4 /src
parent	f8e97ec40446a142eaf51b0319013f055c851321 (diff)
download	openbsd-0ca9d5c5e38e348ed9be8a958a2821455bf161be.tar.gz openbsd-0ca9d5c5e38e348ed9be8a958a2821455bf161be.tar.bz2 openbsd-0ca9d5c5e38e348ed9be8a958a2821455bf161be.zip