When no cipher names are appended, p remains at buf and the unconditional
p[-1] = '\0' underflows. Only NUL-terminate if at least one cipher was written;
otherwise return an empty string safely.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28785)
continue;
n = (int)OPENSSL_strnlen(c->name, size);
- if (n >= size) {
- if (p != buf)
- --p;
- *p = '\0';
- return buf;
- }
+ if (n >= size)
+ break;
+
memcpy(p, c->name, n);
p += n;
*(p++) = ':';
size -= n + 1;
}
+
+ /* No overlap */
+ if (p == buf)
+ return NULL;
+
p[-1] = '\0';
return buf;
}