diff options
author | Todd C. Miller <Todd.Miller@sudo.ws> | 2022-10-24 08:00:48 -0600 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2022-10-26 12:52:23 +0200 |
commit | 9b3219ba544db82cdad3058b9872058739559944 (patch) | |
tree | 702b319b23f3d0ac4a426e0511d49a24e2ea34d1 | |
parent | c7a02ba09e3c3088d635a91ab179a1e7bdd5e340 (diff) |
ssl_cipher_process_rulestr: don't read outside rule_str buffer
If rule_str ended in a "-", "l" was incremented one byte past the
end of the buffer. This resulted in an out-of-bounds read when "l"
is dereferenced at the end of the loop. It is safest to just return
early in this case since the condition occurs inside a nested loop.
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19166)
(cherry picked from commit 428511ca66670e169a0e1b12e7540714b0be4cf8)
-rw-r--r-- | ssl/ssl_ciph.c | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 55f919fcd5..62d0a58b22 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1026,9 +1026,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str, * alphanumeric, so we call this an error. */ SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND); - retval = found = 0; - l++; - break; + return 0; } if (rule == CIPHER_SPECIAL) { |