From 6d047e06e67cd1f6d83a52b83643e96b4cdbfb51 Mon Sep 17 00:00:00 2001 From: Peter Wu Date: Thu, 2 Feb 2017 12:11:10 +0100 Subject: [PATCH] SSL_get_shared_sigalgs: handle negative idx parameter When idx is negative (as is the case with do_print_sigalgs in apps/s_cb.c), AddressSanitizer complains about a buffer overflow (read). Even if the pointer is not dereferenced, this is undefined behavior. Change the user not to use "-1" as index since the function is documented to return 0 on out-of-range values. Tested with `openssl s_server` and `curl -k https://localhost:4433`. Reviewed-by: Rich Salz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/2349) --- apps/s_cb.c | 2 +- ssl/t1_lib.c | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/s_cb.c b/apps/s_cb.c index 550969d704..e0d432dc75 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -239,7 +239,7 @@ static int do_print_sigalgs(BIO *out, SSL *s, int shared) int i, nsig, client; client = SSL_is_server(s) ? 0 : 1; if (shared) - nsig = SSL_get_shared_sigalgs(s, -1, NULL, NULL, NULL, NULL, NULL); + nsig = SSL_get_shared_sigalgs(s, 0, NULL, NULL, NULL, NULL, NULL); else nsig = SSL_get_sigalgs(s, -1, NULL, NULL, NULL, NULL, NULL); if (nsig == 0) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 1534a54f39..43340d4d49 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1684,6 +1684,7 @@ int SSL_get_shared_sigalgs(SSL *s, int idx, { const SIGALG_LOOKUP *shsigalgs; if (s->cert->shared_sigalgs == NULL + || idx < 0 || idx >= (int)s->cert->shared_sigalgslen || s->cert->shared_sigalgslen > INT_MAX) return 0; -- 2.25.1