ssl_cipher_process_rulestr: don't read outside rule_str buffer

If rule_str ended in a "-", "l" was incremented one byte past the end of the buffer. This resulted in an out-of-bounds read when "l" is dereferenced at the end of the loop. It is safest to just return early in this case since the condition occurs inside a nested loop. CLA: trivial Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19166) (cherry picked from commit 428511ca66670e169a0e1b12e7540714b0be4cf8)
author: Todd C. Miller <Todd.Miller@sudo.ws> 2022-10-24 08:00:48 -0600
committer: Tomas Mraz <tomas@openssl.org> 2022-10-26 12:49:43 +0200
commit: 91caaa3ba3e5db40e13ab7321072ea4cfce188e2 (patch)
tree: 93309adf2a7925f23691dc82b0598b0518f105c1 /ssl
parent: cc62162a540440eaabba92edcd8221f30f3fbfc4 (diff)
1 files changed, 1 insertions, 3 deletions
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index aa4acdbe53..73a821289d 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1063,9 +1063,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                  * alphanumeric, so we call this an error.
                  */
                 ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_COMMAND);
-                retval = found = 0;
-                l++;
-                break;
+                return 0;
             }
 
             if (rule == CIPHER_SPECIAL) {
author	Todd C. Miller <Todd.Miller@sudo.ws>	2022-10-24 08:00:48 -0600
committer	Tomas Mraz <tomas@openssl.org>	2022-10-26 12:49:43 +0200
commit	91caaa3ba3e5db40e13ab7321072ea4cfce188e2 (patch)
tree	93309adf2a7925f23691dc82b0598b0518f105c1 /ssl
parent	cc62162a540440eaabba92edcd8221f30f3fbfc4 (diff)