openssl/patches/openssl-0.9.8e-CVE-2007-5135.patch

http://bugs.gentoo.org/194039

Index: ssl/ssl_lib.c
===================================================================
RCS file: /usr/local/src/openssl/CVSROOT/openssl/ssl/ssl_lib.c,v
retrieving revision 1.133.2.9
retrieving revision 1.133.2.10
diff -u -p -r1.133.2.9 -r1.133.2.10
--- ssl/ssl_lib.c	12 Aug 2007 18:59:02 -0000	1.133.2.9
+++ ssl/ssl_lib.c	19 Sep 2007 12:16:21 -0000	1.133.2.10
@@ -1210,7 +1210,6 @@ int SSL_set_cipher_list(SSL *s,const cha
 char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
 	{
 	char *p;
-	const char *cp;
 	STACK_OF(SSL_CIPHER) *sk;
 	SSL_CIPHER *c;
 	int i;
@@ -1223,20 +1222,21 @@ char *SSL_get_shared_ciphers(const SSL *
 	sk=s->session->ciphers;
 	for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
 		{
-		/* Decrement for either the ':' or a '\0' */
-		len--;
+		int n;
+
 		c=sk_SSL_CIPHER_value(sk,i);
-		for (cp=c->name; *cp; )
+		n=strlen(c->name);
+		if (n+1 > len)
 			{
-			if (len-- <= 0)
-				{
-				*p='\0';
-				return(buf);
-				}
-			else
-				*(p++)= *(cp++);
+			if (p != buf)
+				--p;
+			*p='\0';
+			return buf;
 			}
+		strcpy(p,c->name);
+		p+=n;
 		*(p++)=':';
+		len-=n+1;
 		}
 	p[-1]='\0';
 	return(buf);
1	niro	367	http://bugs.gentoo.org/194039
2
3			Index: ssl/ssl_lib.c
4			===================================================================
5			RCS file: /usr/local/src/openssl/CVSROOT/openssl/ssl/ssl_lib.c,v
6			retrieving revision 1.133.2.9
7			retrieving revision 1.133.2.10
8			diff -u -p -r1.133.2.9 -r1.133.2.10
9			--- ssl/ssl_lib.c 12 Aug 2007 18:59:02 -0000 1.133.2.9
10			+++ ssl/ssl_lib.c 19 Sep 2007 12:16:21 -0000 1.133.2.10
11			@@ -1210,7 +1210,6 @@ int SSL_set_cipher_list(SSL *s,const cha
12			char SSL_get_shared_ciphers(const SSL s,char *buf,int len)
13			{
14			char *p;
15			- const char *cp;
16			STACK_OF(SSL_CIPHER) *sk;
17			SSL_CIPHER *c;
18			int i;
19			@@ -1223,20 +1222,21 @@ char SSL_get_shared_ciphers(const SSL
20			sk=s->session->ciphers;
21			for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
22			{
23			- /* Decrement for either the ':' or a '\0' */
24			- len--;
25			+ int n;
26			+
27			c=sk_SSL_CIPHER_value(sk,i);
28			- for (cp=c->name; *cp; )
29			+ n=strlen(c->name);
30			+ if (n+1 > len)
31			{
32			- if (len-- <= 0)
33			- {
34			- *p='\0';
35			- return(buf);
36			- }
37			- else
38			- (p++)= (cp++);
39			+ if (p != buf)
40			+ --p;
41			+ *p='\0';
42			+ return buf;
43			}
44			+ strcpy(p,c->name);
45			+ p+=n;
46			*(p++)=':';
47			+ len-=n+1;
48			}
49			p[-1]='\0';
50			return(buf);