diff options
author | Simon L. B. Nielsen <simon@FreeBSD.org> | 2007-10-03 21:38:57 +0000 |
---|---|---|
committer | Simon L. B. Nielsen <simon@FreeBSD.org> | 2007-10-03 21:38:57 +0000 |
commit | ec4b528c4ab13ecbe7c160533e7ffc81bc5b75c6 (patch) | |
tree | 45f5297fae83bde67f6867b89f3c55b9378a6ff8 | |
parent | 2cd96fdf2c8f526514d8ffc4a638009390d39521 (diff) | |
download | src-ec4b528c4ab13ecbe7c160533e7ffc81bc5b75c6.tar.gz src-ec4b528c4ab13ecbe7c160533e7ffc81bc5b75c6.zip |
Correct a buffer overflow in OpenSSL SSL_get_shared_ciphers().
Security: FreeBSD-SA-07:08.openssl
Approved by: re (security blanket)
Notes
Notes:
svn path=/head/; revision=172429
-rw-r--r-- | crypto/openssl/ssl/ssl_lib.c | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c index 4e81922d7588..3ab78a67dcb4 100644 --- a/crypto/openssl/ssl/ssl_lib.c +++ b/crypto/openssl/ssl/ssl_lib.c @@ -1201,7 +1201,6 @@ int SSL_set_cipher_list(SSL *s,const char *str) char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len) { char *p; - const char *cp; STACK_OF(SSL_CIPHER) *sk; SSL_CIPHER *c; int i; @@ -1214,20 +1213,21 @@ char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len) sk=s->session->ciphers; for (i=0; i<sk_SSL_CIPHER_num(sk); i++) { - /* Decrement for either the ':' or a '\0' */ - len--; + int n; + c=sk_SSL_CIPHER_value(sk,i); - for (cp=c->name; *cp; ) + n=strlen(c->name); + if (n+1 > len) { - if (len-- <= 0) - { - *p='\0'; - return(buf); - } - else - *(p++)= *(cp++); + if (p != buf) + --p; + *p='\0'; + return buf; } + strcpy(p,c->name); + p+=n; *(p++)=':'; + len-=n+1; } p[-1]='\0'; return(buf); |