1 files changed, 44 insertions, 10 deletions

diff --git a/security/openssl/patches/patch-ao b/security/openssl/patches/patch-ao
index 0b53ba7001a..957a0e527d6 100644
--- a/security/openssl/patches/patch-ao
+++ b/security/openssl/patches/patch-ao
@@ -1,15 +1,49 @@
-$NetBSD: patch-ao,v 1.1 2006/09/30 04:20:24 taca Exp $
+$NetBSD: patch-ao,v 1.1.10.1 2007/10/22 08:47:23 ghen Exp $
 
-# http://secunia.com/advisories/22130/
+# CVE-2007-5135
 
---- ssl/ssl_lib.c.orig	2005-06-11 05:00:39.000000000 +0900
+--- ssl/ssl_lib.c.orig	2005-06-10 21:00:39.000000000 +0100
 +++ ssl/ssl_lib.c
-@@ -1187,7 +1187,7 @@ char *SSL_get_shared_ciphers(const SSL *
+@@ -1169,7 +1169,6 @@ int SSL_set_cipher_list(SSL *s,const cha
+ char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
+ 	{
+ 	char *p;
+-	const char *cp;
+ 	STACK_OF(SSL_CIPHER) *sk;
+ 	SSL_CIPHER *c;
+ 	int i;
+@@ -1182,20 +1181,21 @@ char *SSL_get_shared_ciphers(const SSL *
+ 	sk=s->session->ciphers;
+ 	for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
+ 		{
+-		/* Decrement for either the ':' or a '\0' */
+-		len--;
++		int n;
++
  		c=sk_SSL_CIPHER_value(sk,i);
- 		for (cp=c->name; *cp; )
- 			{
+-		for (cp=c->name; *cp; )
+-			{
 -			if (len-- == 0)
-+			if (len-- <= 0)
- 				{
- 				*p='\0';
- 				return(buf);
+-				{
+-				*p='\0';
+-				return(buf);
+-				}
+-			else
+-				*(p++)= *(cp++);
+-			}
+-		*(p++)=':';
++		n=strlen(c->name);
++		if (n+1 > len)
++		      {
++		      if (p != buf)
++			     --p;
++		      *p='\0';
++		      return buf;
++		      }
++		strcpy(p,c->name);
++		p+=n;
++		*(p++)=':';
++		len-=n+1;
+ 		}
+ 	p[-1]='\0';
+ 	return(buf);