]> git.ipfire.org Git - thirdparty/openssl.git/commitdiff
ssl: fix OOB write in SSL_get_shared_ciphers when no shared ciphers
authorJoshua Rogers <MegaManSec@users.noreply.github.com>
Wed, 8 Oct 2025 22:14:15 +0000 (06:14 +0800)
committerTomas Mraz <tomas@openssl.org>
Fri, 17 Oct 2025 16:54:28 +0000 (18:54 +0200)
When no cipher names are appended, p remains at buf and the unconditional
p[-1] = '\0' underflows. Only NUL-terminate if at least one cipher was written;
otherwise return an empty string safely.

Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28785)

ssl/ssl_lib.c

index 287fbaa038565c494b1368925f06fde7dadb2344..951723748ffd358277266ec99940beb8739ff7be 100644 (file)
@@ -3458,17 +3458,19 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size)
             continue;
 
         n = (int)OPENSSL_strnlen(c->name, size);
-        if (n >= size) {
-            if (p != buf)
-                --p;
-            *p = '\0';
-            return buf;
-        }
+        if (n >= size)
+            break;
+
         memcpy(p, c->name, n);
         p += n;
         *(p++) = ':';
         size -= n + 1;
     }
+
+    /* No overlap */
+    if (p == buf)
+        return NULL;
+
     p[-1] = '\0';
     return buf;
 }