Correct a buffer overflow in OpenSSL SSL_get_shared_ciphers().
Security: FreeBSD-SA-07:08.openssl Approved by: re (security blanket)
This commit is contained in:
Simon L. B. Nielsen
parent
2cd96fdf2c
commit
ec4b528c4a
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=172429
@ -1201,7 +1201,6 @@ int SSL_set_cipher_list(SSL *s,const char *str)
|
||||
char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
|
||||
{
|
||||
char *p;
|
||||
const char *cp;
|
||||
STACK_OF(SSL_CIPHER) *sk;
|
||||
SSL_CIPHER *c;
|
||||
int i;
|
||||
@ -1214,20 +1213,21 @@ char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
|
||||
sk=s->session->ciphers;
|
||||
for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
|
||||
{
|
||||
/* Decrement for either the ':' or a '\0' */
|
||||
len--;
|
||||
int n;
|
||||
|
||||
c=sk_SSL_CIPHER_value(sk,i);
|
||||
for (cp=c->name; *cp; )
|
||||
n=strlen(c->name);
|
||||
if (n+1 > len)
|
||||
{
|
||||
if (len-- <= 0)
|
||||
{
|
||||
*p='\0';
|
||||
return(buf);
|
||||
}
|
||||
else
|
||||
*(p++)= *(cp++);
|
||||
if (p != buf)
|
||||
--p;
|
||||
*p='\0';
|
||||
return buf;
|
||||
}
|
||||
strcpy(p,c->name);
|
||||
p+=n;
|
||||
*(p++)=':';
|
||||
len-=n+1;
|
||||
}
|
||||
p[-1]='\0';
|
||||
return(buf);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user