diff options
author | Moritz Jodeit <moritz@cvs.openbsd.org> | 2007-09-27 16:18:13 +0000 |
---|---|---|
committer | Moritz Jodeit <moritz@cvs.openbsd.org> | 2007-09-27 16:18:13 +0000 |
commit | 293f14449fd212b5267d37a2354e8449937869c6 (patch) | |
tree | fa0fe36d9b92f213b3c1381e38315acf547bd992 | |
parent | a5d7ff41b333cc4c94d7471f8154f7b52c1300c2 (diff) |
Fix off-by-one buffer overflow in SSL_get_shared_ciphers().
From OpenSSL_0_9_8-stable branch.
ok djm@
-rw-r--r-- | lib/libssl/src/ssl/ssl_lib.c | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/lib/libssl/src/ssl/ssl_lib.c b/lib/libssl/src/ssl/ssl_lib.c index 4e8f302a5e6..e9fda28f638 100644 --- a/lib/libssl/src/ssl/ssl_lib.c +++ b/lib/libssl/src/ssl/ssl_lib.c @@ -1169,7 +1169,6 @@ int SSL_set_cipher_list(SSL *s,const char *str) char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len) { char *p; - const char *cp; STACK_OF(SSL_CIPHER) *sk; SSL_CIPHER *c; int i; @@ -1182,20 +1181,21 @@ char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len) sk=s->session->ciphers; for (i=0; i<sk_SSL_CIPHER_num(sk); i++) { - /* Decrement for either the ':' or a '\0' */ - len--; + int n; + c=sk_SSL_CIPHER_value(sk,i); - for (cp=c->name; *cp; ) + n=strlen(c->name); + if (n+1 > len) { - if (len-- <= 0) - { - *p='\0'; - return(buf); - } - else - *(p++)= *(cp++); + if (p != buf) + --p; + *p='\0'; + return buf; } + strcpy(p,c->name); + p+=n; *(p++)=':'; + len-=n+1; } p[-1]='\0'; return(buf); |