28 lines
1.1 KiB
Diff
28 lines
1.1 KiB
Diff
Tavis Ormandy and Will Drewry of the Google Security Team discovered a buffer
|
|
overflow in SSL_get_shared_ciphers utility function, used by some
|
|
applications such as exim and mysql. An attacker could send a list of
|
|
ciphers that would overrun a buffer CVE-2006-3738
|
|
|
|
--- ssl/ssl_lib.c 2005-10-01 00:38:20.000000000 +0100
|
|
+++ ssl/ssl_lib.c 2006-08-28 19:08:37.401404000 +0100
|
|
@@ -1219,7 +1219,7 @@ char *SSL_get_shared_ciphers(const SSL *
|
|
c=sk_SSL_CIPHER_value(sk,i);
|
|
for (cp=c->name; *cp; )
|
|
{
|
|
- if (len-- == 0)
|
|
+ if (len-- <= 0)
|
|
{
|
|
*p='\0';
|
|
return(buf);
|
|
--- ssl/s3_srvr.c 2005-10-01 00:38:20.000000000 +0100
|
|
+++ ssl/s3_srvr.c 2006-08-28 19:16:39.313556000 +0100
|
|
@@ -2017,7 +2017,7 @@ int ssl3_get_client_key_exchange(SSL *s)
|
|
|
|
if (kssl_ctx->client_princ)
|
|
{
|
|
- int len = strlen(kssl_ctx->client_princ);
|
|
+ size_t len = strlen(kssl_ctx->client_princ);
|
|
if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH )
|
|
{
|
|
s->session->krb5_client_princ_len = len;
|