rpms / openssl098e

Clone
Source Code
GIT

Blame SOURCES/openssl-0.9.8b-cve-2007-5135.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta
  1.   5820f55c83d296decb4f8def2db1aa47ac8b3e88
  2.   SOURCES
  3.   openssl-0.9.8b-cve-2007-5135.patch
Blob History Raw
5820f5 
Possible one byte buffer overflow in SSL_get_shared_ciphers.
5820f5 
CVE-2007-5135
5820f5 
diff -up openssl-0.9.8b/ssl/ssl_lib.c.orig openssl-0.9.8b/ssl/ssl_lib.c
5820f5 
--- openssl-0.9.8b/ssl/ssl_lib.c.orig	2007-10-08 10:20:42.000000000 +0200
5820f5 
+++ openssl-0.9.8b/ssl/ssl_lib.c	2007-10-08 17:32:29.000000000 +0200
5820f5 
@@ -1201,7 +1201,6 @@ int SSL_set_cipher_list(SSL *s,const cha
5820f5 
 char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
5820f5 
 	{
5820f5 
 	char *p;
5820f5 
-	const char *cp;
5820f5 
 	STACK_OF(SSL_CIPHER) *sk;
5820f5 
 	SSL_CIPHER *c;
5820f5 
 	int i;
5820f5 
@@ -1214,20 +1213,21 @@ char *SSL_get_shared_ciphers(const SSL *
5820f5 
 	sk=s->session->ciphers;
5820f5 
 	for (i=0; i
5820f5 
 		{
5820f5 
-		/* Decrement for either the ':' or a '\0' */
5820f5 
-		len--;
5820f5 
+		int n;
5820f5 
+
5820f5 
 		c=sk_SSL_CIPHER_value(sk,i);
5820f5 
-		for (cp=c->name; *cp; )
5820f5 
+		n=strlen(c->name);
5820f5 
+		if (n+1 > len)
5820f5 
 			{
5820f5 
-			if (len-- <= 0)
5820f5 
-				{
5820f5 
-				*p='\0';
5820f5 
-				return(buf);
5820f5 
-				}
5820f5 
-			else
5820f5 
-				*(p++)= *(cp++);
5820f5 
+			if (p != buf)
5820f5 
+				--p;
5820f5 
+			*p='\0';
5820f5 
+			return buf;
5820f5 
 			}
5820f5 
+		strcpy(p,c->name);
5820f5 
+		p+=n;
5820f5 
 		*(p++)=':';
5820f5 
+		len-=n+1;
5820f5 
 		}
5820f5 
 	p[-1]='\0';
5820f5 
 	return(buf);

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation