[Midnightbsd-cvs] src: ssl_lib.c: Fix a security issue with openssl.
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Wed Oct 3 19:57:10 EDT 2007
Log Message:
-----------
Fix a security issue with openssl.
For applications using the SSL_get_shared_ciphers() function, the
buffer overflow could allow an attacker to crash or potentially
execute arbitrary code with the permissions of the user running the
application. (freebsd advisory text).
Modified Files:
--------------
src/crypto/openssl/ssl:
ssl_lib.c (r1.2 -> r1.3)
-------------- next part --------------
Index: ssl_lib.c
===================================================================
RCS file: /home/cvs/src/crypto/openssl/ssl/ssl_lib.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -Lcrypto/openssl/ssl/ssl_lib.c -Lcrypto/openssl/ssl/ssl_lib.c -u -r1.2 -r1.3
--- crypto/openssl/ssl/ssl_lib.c
+++ crypto/openssl/ssl/ssl_lib.c
@@ -1149,7 +1149,6 @@
char *SSL_get_shared_ciphers(SSL *s,char *buf,int len)
{
char *p;
- const char *cp;
STACK_OF(SSL_CIPHER) *sk;
SSL_CIPHER *c;
int i;
@@ -1162,20 +1161,21 @@
sk=s->session->ciphers;
for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
{
- /* Decrement for either the ':' or a '\0' */
- len--;
+ int n;
+
c=sk_SSL_CIPHER_value(sk,i);
- for (cp=c->name; *cp; )
+ n=strlen(c->name);
+ if (n+1 > len)
{
- if (len-- <= 0)
- {
- *p='\0';
- return(buf);
- }
- else
- *(p++)= *(cp++);
+ if (p != buf)
+ --p;
+ *p='\0';
+ return buf;
}
+ strcpy(p,c->name);
+ p+=n;
*(p++)=':';
+ len-=n+1;
}
p[-1]='\0';
return(buf);
More information about the Midnightbsd-cvs
mailing list