summaryrefslogtreecommitdiff
path: root/lib/libssl/ssl_ciph.c
diff options
context:
space:
mode:
authorTodd C. Miller <millert@cvs.openbsd.org>2022-09-07 21:34:23 +0000
committerTodd C. Miller <millert@cvs.openbsd.org>2022-09-07 21:34:23 +0000
commitf8d50763af1caa6a214ab974250958a41d9893b1 (patch)
tree24fde9b09fe64382afdded743fae74883eb858df /lib/libssl/ssl_ciph.c
parenta39bacb09f3578ba5787094339693882ba038a5d (diff)
ssl_cipher_process_rulestr: don't read outside rule_str buffer
If rule_str ended in a "-", "l" was incremented one byte past the end of the buffer. This resulted in an out-of-bounds read when "l" is dereferenced at the end of the loop. OK tb@
Diffstat (limited to 'lib/libssl/ssl_ciph.c')
-rw-r--r--lib/libssl/ssl_ciph.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c
index d304cfe6ec1..106a9befddb 100644
--- a/lib/libssl/ssl_ciph.c
+++ b/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.132 2022/09/04 07:55:32 tb Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.133 2022/09/07 21:34:22 millert Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -1011,7 +1011,8 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p,
*/
SSLerrorx(SSL_R_INVALID_COMMAND);
retval = found = 0;
- l++;
+ if (ch != '\0')
+ l++;
break;
}