| 1 |
wellsi |
1.1 |
Possible one byte buffer overflow in SSL_get_shared_ciphers. |
| 2 |
|
|
CVE-2007-5135 |
| 3 |
|
|
diff -up openssl-0.9.8b/ssl/ssl_lib.c.orig openssl-0.9.8b/ssl/ssl_lib.c |
| 4 |
|
|
--- openssl-0.9.8b/ssl/ssl_lib.c.orig 2007-10-08 10:20:42.000000000 +0200 |
| 5 |
|
|
+++ openssl-0.9.8b/ssl/ssl_lib.c 2007-10-08 17:32:29.000000000 +0200 |
| 6 |
|
|
@@ -1201,7 +1201,6 @@ int SSL_set_cipher_list(SSL *s,const cha |
| 7 |
|
|
char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len) |
| 8 |
|
|
{ |
| 9 |
|
|
char *p; |
| 10 |
|
|
- const char *cp; |
| 11 |
|
|
STACK_OF(SSL_CIPHER) *sk; |
| 12 |
|
|
SSL_CIPHER *c; |
| 13 |
|
|
int i; |
| 14 |
|
|
@@ -1214,20 +1213,21 @@ char *SSL_get_shared_ciphers(const SSL * |
| 15 |
|
|
sk=s->session->ciphers; |
| 16 |
|
|
for (i=0; i<sk_SSL_CIPHER_num(sk); i++) |
| 17 |
|
|
{ |
| 18 |
|
|
- /* Decrement for either the ':' or a '\0' */ |
| 19 |
|
|
- len--; |
| 20 |
|
|
+ int n; |
| 21 |
|
|
+ |
| 22 |
|
|
c=sk_SSL_CIPHER_value(sk,i); |
| 23 |
|
|
- for (cp=c->name; *cp; ) |
| 24 |
|
|
+ n=strlen(c->name); |
| 25 |
|
|
+ if (n+1 > len) |
| 26 |
|
|
{ |
| 27 |
|
|
- if (len-- <= 0) |
| 28 |
|
|
- { |
| 29 |
|
|
- *p='\0'; |
| 30 |
|
|
- return(buf); |
| 31 |
|
|
- } |
| 32 |
|
|
- else |
| 33 |
|
|
- *(p++)= *(cp++); |
| 34 |
|
|
+ if (p != buf) |
| 35 |
|
|
+ --p; |
| 36 |
|
|
+ *p='\0'; |
| 37 |
|
|
+ return buf; |
| 38 |
|
|
} |
| 39 |
|
|
+ strcpy(p,c->name); |
| 40 |
|
|
+ p+=n; |
| 41 |
|
|
*(p++)=':'; |
| 42 |
|
|
+ len-=n+1; |
| 43 |
|
|
} |
| 44 |
|
|
p[-1]='\0'; |
| 45 |
|
|
return(buf); |
Parent Directory
| 
Revision Log
| 
Revision Graph
