From: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Wed, 8 Oct 2025 22:14:15 +0000 (+0800)
Subject: ssl: fix OOB write in SSL_get_shared_ciphers when no shared ciphers
X-Git-Tag: 4.0-PRE-CLANG-FORMAT-WEBKIT~346
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=680491a2a7403fc6e5e1759e0eabeceeacaf37f9;p=thirdparty%2Fopenssl.git

ssl: fix OOB write in SSL_get_shared_ciphers when no shared ciphers

When no cipher names are appended, p remains at buf and the unconditional
p[-1] = '\0' underflows. Only NUL-terminate if at least one cipher was written;
otherwise return an empty string safely.

Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28785)
---

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 287fbaa0385..951723748ff 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3458,17 +3458,19 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size)
             continue;
 
         n = (int)OPENSSL_strnlen(c->name, size);
-        if (n >= size) {
-            if (p != buf)
-                --p;
-            *p = '\0';
-            return buf;
-        }
+        if (n >= size)
+            break;
+
         memcpy(p, c->name, n);
         p += n;
         *(p++) = ':';
         size -= n + 1;
     }
+
+    /* No overlap */
+    if (p == buf)
+        return NULL;
+
     p[-1] = '\0';
     return buf;
 }