From 680491a2a7403fc6e5e1759e0eabeceeacaf37f9 Mon Sep 17 00:00:00 2001
From: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Thu, 9 Oct 2025 06:14:15 +0800
Subject: [PATCH] ssl: fix OOB write in SSL_get_shared_ciphers when no shared
 ciphers

When no cipher names are appended, p remains at buf and the unconditional
p[-1] = '\0' underflows. Only NUL-terminate if at least one cipher was written;
otherwise return an empty string safely.

Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28785)
---
 ssl/ssl_lib.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 287fbaa0385..951723748ff 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3458,17 +3458,19 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size)
             continue;
 
         n = (int)OPENSSL_strnlen(c->name, size);
-        if (n >= size) {
-            if (p != buf)
-                --p;
-            *p = '\0';
-            return buf;
-        }
+        if (n >= size)
+            break;
+
         memcpy(p, c->name, n);
         p += n;
         *(p++) = ':';
         size -= n + 1;
     }
+
+    /* No overlap */
+    if (p == buf)
+        return NULL;
+
     p[-1] = '\0';
     return buf;
 }
-- 
2.47.3