From 6d047e06e67cd1f6d83a52b83643e96b4cdbfb51 Mon Sep 17 00:00:00 2001
From: Peter Wu <peter@lekensteyn.nl>
Date: Thu, 2 Feb 2017 12:11:10 +0100
Subject: [PATCH] SSL_get_shared_sigalgs: handle negative idx parameter

When idx is negative (as is the case with do_print_sigalgs in
apps/s_cb.c), AddressSanitizer complains about a buffer overflow (read).
Even if the pointer is not dereferenced, this is undefined behavior.

Change the user not to use "-1" as index since the function is
documented to return 0 on out-of-range values.

Tested with `openssl s_server` and `curl -k https://localhost:4433`.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2349)
---
 apps/s_cb.c  | 2 +-
 ssl/t1_lib.c | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/s_cb.c b/apps/s_cb.c
index 550969d704..e0d432dc75 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -239,7 +239,7 @@ static int do_print_sigalgs(BIO *out, SSL *s, int shared)
     int i, nsig, client;
     client = SSL_is_server(s) ? 0 : 1;
     if (shared)
-        nsig = SSL_get_shared_sigalgs(s, -1, NULL, NULL, NULL, NULL, NULL);
+        nsig = SSL_get_shared_sigalgs(s, 0, NULL, NULL, NULL, NULL, NULL);
     else
         nsig = SSL_get_sigalgs(s, -1, NULL, NULL, NULL, NULL, NULL);
     if (nsig == 0)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 1534a54f39..43340d4d49 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1684,6 +1684,7 @@ int SSL_get_shared_sigalgs(SSL *s, int idx,
 {
     const SIGALG_LOOKUP *shsigalgs;
     if (s->cert->shared_sigalgs == NULL
+        || idx < 0
         || idx >= (int)s->cert->shared_sigalgslen
         || s->cert->shared_sigalgslen > INT_MAX)
         return 0;
-- 
GitLab