From cce5ad9f407ef06e47402da44a7e4cd1c60440ea Mon Sep 17 00:00:00 2001 From: millert Date: Wed, 7 Sep 2022 21:34:22 +0000 Subject: [PATCH] ssl_cipher_process_rulestr: don't read outside rule_str buffer If rule_str ended in a "-", "l" was incremented one byte past the end of the buffer. This resulted in an out-of-bounds read when "l" is dereferenced at the end of the loop. OK tb@ --- lib/libssl/ssl_ciph.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c index d304cfe6ec1..106a9befddb 100644 --- a/lib/libssl/ssl_ciph.c +++ b/lib/libssl/ssl_ciph.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciph.c,v 1.132 2022/09/04 07:55:32 tb Exp $ */ +/* $OpenBSD: ssl_ciph.c,v 1.133 2022/09/07 21:34:22 millert Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1011,7 +1011,8 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, */ SSLerrorx(SSL_R_INVALID_COMMAND); retval = found = 0; - l++; + if (ch != '\0') + l++; break; } -- 2.20.1