SSL_get_shared_sigalgs: handle negative idx parameter

When idx is negative (as is the case with do_print_sigalgs in apps/s_cb.c), AddressSanitizer complains about a buffer overflow (read). Even if the pointer is not dereferenced, this is undefined behavior. Change the user not to use "-1" as index since the function is documented to return 0 on out-of-range values. Tested with `openssl s_server` and `curl -k https://localhost:4433`. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2349)
author: Peter Wu <peter@lekensteyn.nl> 2017-02-02 12:11:10 +0100
committer: Matt Caswell <matt@openssl.org> 2017-02-09 09:48:46 +0000
commit: 6d047e06e67cd1f6d83a52b83643e96b4cdbfb51 (patch)
tree: 236b80510a9b6fb8a0a1ecb5d2a48b7e7c6823c0 /ssl
parent: 68a55f3b451060c747986aeffa322d32c770dd62 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 1534a54f39..43340d4d49 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1684,6 +1684,7 @@ int SSL_get_shared_sigalgs(SSL *s, int idx,
 {
     const SIGALG_LOOKUP *shsigalgs;
     if (s->cert->shared_sigalgs == NULL
+        || idx < 0
         || idx >= (int)s->cert->shared_sigalgslen
         || s->cert->shared_sigalgslen > INT_MAX)
         return 0;
author	Peter Wu <peter@lekensteyn.nl>	2017-02-02 12:11:10 +0100
committer	Matt Caswell <matt@openssl.org>	2017-02-09 09:48:46 +0000
commit	6d047e06e67cd1f6d83a52b83643e96b4cdbfb51 (patch)
tree	236b80510a9b6fb8a0a1ecb5d2a48b7e7c6823c0 /ssl
parent	68a55f3b451060c747986aeffa322d32c770dd62 (diff)