From 7b7cf02427def33a12d6a27c01ef7a7e64bc08d3 Mon Sep 17 00:00:00 2001
From: miod <>
Date: Sat, 24 May 2014 19:27:48 +0000
Subject: In ssl_cipher_get_evp(), fix off-by-one in index validation before
 accessing arrays.

"kind of scary" deraadt@, ok guenther@
---
 src/lib/libssl/src/ssl/ssl_ciph.c | 4 ++--
 src/lib/libssl/ssl_ciph.c         | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libssl/src/ssl/ssl_ciph.c b/src/lib/libssl/src/ssl/ssl_ciph.c
index 77d8a3c79f..4ae3312a1a 100644
--- a/src/lib/libssl/src/ssl/ssl_ciph.c
+++ b/src/lib/libssl/src/ssl/ssl_ciph.c
@@ -559,7 +559,7 @@ ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 		break;
 	}
 
-	if ((i < 0) || (i > SSL_ENC_NUM_IDX))
+	if ((i < 0) || (i >= SSL_ENC_NUM_IDX))
 		*enc = NULL;
 	else {
 		if (i == SSL_ENC_NULL_IDX)
@@ -591,7 +591,7 @@ ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 		i = -1;
 		break;
 	}
-	if ((i < 0) || (i > SSL_MD_NUM_IDX)) {
+	if ((i < 0) || (i >= SSL_MD_NUM_IDX)) {
 		*md = NULL;
 
 		if (mac_pkey_type != NULL)
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 77d8a3c79f..4ae3312a1a 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -559,7 +559,7 @@ ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 		break;
 	}
 
-	if ((i < 0) || (i > SSL_ENC_NUM_IDX))
+	if ((i < 0) || (i >= SSL_ENC_NUM_IDX))
 		*enc = NULL;
 	else {
 		if (i == SSL_ENC_NULL_IDX)
@@ -591,7 +591,7 @@ ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 		i = -1;
 		break;
 	}
-	if ((i < 0) || (i > SSL_MD_NUM_IDX)) {
+	if ((i < 0) || (i >= SSL_MD_NUM_IDX)) {
 		*md = NULL;
 
 		if (mac_pkey_type != NULL)
-- 
cgit v1.2.3-55-g6feb