From 0ca9d5c5e38e348ed9be8a958a2821455bf161be Mon Sep 17 00:00:00 2001
From: millert <>
Date: Wed, 7 Sep 2022 21:34:22 +0000
Subject: ssl_cipher_process_rulestr: don't read outside rule_str buffer If
 rule_str ended in a "-", "l" was incremented one byte past the end of the
 buffer.  This resulted in an out-of-bounds read when "l" is dereferenced at
 the end of the loop.  OK tb@

---
 src/lib/libssl/ssl_ciph.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index d304cfe6ec..106a9befdd 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.132 2022/09/04 07:55:32 tb Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.133 2022/09/07 21:34:22 millert Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1011,7 +1011,8 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p,
 				 */
 				SSLerrorx(SSL_R_INVALID_COMMAND);
 				retval = found = 0;
-				l++;
+				if (ch != '\0')
+					l++;
 				break;
 			}
 
-- 
cgit v1.2.3-55-g6feb