diff options
author | simon <simon@FreeBSD.org> | 2007-10-03 21:38:57 +0000 |
---|---|---|
committer | simon <simon@FreeBSD.org> | 2007-10-03 21:38:57 +0000 |
commit | 6d467b2229d5ef17f0db5448a70e7ec0bff2a949 (patch) | |
tree | 45f5297fae83bde67f6867b89f3c55b9378a6ff8 | |
parent | 1f19004b84fe5927e804d0046b33c59c0e9ca306 (diff) | |
download | FreeBSD-src-6d467b2229d5ef17f0db5448a70e7ec0bff2a949.zip FreeBSD-src-6d467b2229d5ef17f0db5448a70e7ec0bff2a949.tar.gz |
Correct a buffer overflow in OpenSSL SSL_get_shared_ciphers().
Security: FreeBSD-SA-07:08.openssl
Approved by: re (security blanket)
-rw-r--r-- | crypto/openssl/ssl/ssl_lib.c | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c index 4e81922..3ab78a6 100644 --- a/crypto/openssl/ssl/ssl_lib.c +++ b/crypto/openssl/ssl/ssl_lib.c @@ -1201,7 +1201,6 @@ int SSL_set_cipher_list(SSL *s,const char *str) char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len) { char *p; - const char *cp; STACK_OF(SSL_CIPHER) *sk; SSL_CIPHER *c; int i; @@ -1214,20 +1213,21 @@ char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len) sk=s->session->ciphers; for (i=0; i<sk_SSL_CIPHER_num(sk); i++) { - /* Decrement for either the ':' or a '\0' */ - len--; + int n; + c=sk_SSL_CIPHER_value(sk,i); - for (cp=c->name; *cp; ) + n=strlen(c->name); + if (n+1 > len) { - if (len-- <= 0) - { - *p='\0'; - return(buf); - } - else - *(p++)= *(cp++); + if (p != buf) + --p; + *p='\0'; + return buf; } + strcpy(p,c->name); + p+=n; *(p++)=':'; + len-=n+1; } p[-1]='\0'; return(buf); |