Commit 6d047e06 authored Feb 02, 2017 by Peter Wu Committed by Matt Caswell Feb 09, 2017

SSL_get_shared_sigalgs: handle negative idx parameter



When idx is negative (as is the case with do_print_sigalgs in
apps/s_cb.c), AddressSanitizer complains about a buffer overflow (read).
Even if the pointer is not dereferenced, this is undefined behavior.

Change the user not to use "-1" as index since the function is
documented to return 0 on out-of-range values.

Tested with `openssl s_server` and `curl -k https://localhost:4433`.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2349)

parent 68a55f3b

apps/s_cb.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -239,7 +239,7 @@ static int do_print_sigalgs(BIO out, SSL s, int shared)
		int i, nsig, client;
		client = SSL_is_server(s) ? 0 : 1;
		if (shared)
		nsig = SSL_get_shared_sigalgs(s, -1, NULL, NULL, NULL, NULL, NULL);
		nsig = SSL_get_shared_sigalgs(s, 0, NULL, NULL, NULL, NULL, NULL);
		else
		nsig = SSL_get_sigalgs(s, -1, NULL, NULL, NULL, NULL, NULL);
		if (nsig == 0)

ssl/t1_lib.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -1684,6 +1684,7 @@ int SSL_get_shared_sigalgs(SSL *s, int idx,
		{
		const SIGALG_LOOKUP *shsigalgs;
		if (s->cert->shared_sigalgs == NULL
		\|\| idx < 0
		\|\| idx >= (int)s->cert->shared_sigalgslen
		\|\| s->cert->shared_sigalgslen > INT_MAX)
		return 0;