46 lines
1.0 KiB
Diff
46 lines
1.0 KiB
Diff
|
Possible one byte buffer overflow in SSL_get_shared_ciphers.
|
||
|
CVE-2007-5135
|
||
|
diff -up openssl-0.9.8b/ssl/ssl_lib.c.orig openssl-0.9.8b/ssl/ssl_lib.c
|
||
|
--- openssl-0.9.8b/ssl/ssl_lib.c.orig 2007-10-08 10:20:42.000000000 +0200
|
||
|
+++ openssl-0.9.8b/ssl/ssl_lib.c 2007-10-08 17:32:29.000000000 +0200
|
||
|
@@ -1201,7 +1201,6 @@ int SSL_set_cipher_list(SSL *s,const cha
|
||
|
char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
|
||
|
{
|
||
|
char *p;
|
||
|
- const char *cp;
|
||
|
STACK_OF(SSL_CIPHER) *sk;
|
||
|
SSL_CIPHER *c;
|
||
|
int i;
|
||
|
@@ -1214,20 +1213,21 @@ char *SSL_get_shared_ciphers(const SSL *
|
||
|
sk=s->session->ciphers;
|
||
|
for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
|
||
|
{
|
||
|
- /* Decrement for either the ':' or a '\0' */
|
||
|
- len--;
|
||
|
+ int n;
|
||
|
+
|
||
|
c=sk_SSL_CIPHER_value(sk,i);
|
||
|
- for (cp=c->name; *cp; )
|
||
|
+ n=strlen(c->name);
|
||
|
+ if (n+1 > len)
|
||
|
{
|
||
|
- if (len-- <= 0)
|
||
|
- {
|
||
|
- *p='\0';
|
||
|
- return(buf);
|
||
|
- }
|
||
|
- else
|
||
|
- *(p++)= *(cp++);
|
||
|
+ if (p != buf)
|
||
|
+ --p;
|
||
|
+ *p='\0';
|
||
|
+ return buf;
|
||
|
}
|
||
|
+ strcpy(p,c->name);
|
||
|
+ p+=n;
|
||
|
*(p++)=':';
|
||
|
+ len-=n+1;
|
||
|
}
|
||
|
p[-1]='\0';
|
||
|
return(buf);
|