From bba2129948c1828d263a2db171d48d8b06556b7c Mon Sep 17 00:00:00 2001
From: Miod Vallat <miod@cvs.openbsd.org>
Date: Sat, 24 May 2014 19:27:49 +0000
Subject: In ssl_cipher_get_evp(), fix off-by-one in index validation before
 accessing arrays.

"kind of scary" deraadt@, ok guenther@
---
 lib/libssl/ssl_ciph.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c
index 77d8a3c79f3..4ae3312a1a0 100644
--- a/lib/libssl/ssl_ciph.c
+++ b/lib/libssl/ssl_ciph.c
@@ -559,7 +559,7 @@ ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 		break;
 	}
 
-	if ((i < 0) || (i > SSL_ENC_NUM_IDX))
+	if ((i < 0) || (i >= SSL_ENC_NUM_IDX))
 		*enc = NULL;
 	else {
 		if (i == SSL_ENC_NULL_IDX)
@@ -591,7 +591,7 @@ ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 		i = -1;
 		break;
 	}
-	if ((i < 0) || (i > SSL_MD_NUM_IDX)) {
+	if ((i < 0) || (i >= SSL_MD_NUM_IDX)) {
 		*md = NULL;
 
 		if (mac_pkey_type != NULL)
-- 
cgit v1.2.3