Commit 029d629db2 for openssl.org

commit 029d629db23e95c6e827d09dae89ee8b4b54f3e2
Author: Eugene Syromiatnikov <esyr@openssl.org>
Date:   Tue Jun 23 10:06:04 2026 +0200

    include/internal/hashtable.h: avoid OOB read in ossl_ht_strcase()

    Avoid accessing src[len] by swapping the check order and bound check
    the iterator variable before the access.

    Found by cppcheck.

    Fixes: cc4ea5e00028 "Introduce new internal hashtable implementation"
    Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>

    Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
    Reviewed-by: Neil Horman <nhorman@openssl.org>
    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    MergeDate: Wed Jun 24 13:09:25 2026
    (Merged from https://github.com/openssl/openssl/pull/31663)

diff --git a/include/internal/hashtable.h b/include/internal/hashtable.h
index 7c4150ba28..9aad653097 100644
--- a/include/internal/hashtable.h
+++ b/include/internal/hashtable.h
@@ -357,7 +357,7 @@ static ossl_inline ossl_unused void ossl_ht_strcase(HT_KEY *key, char *tgt, cons
     if (key != NULL && key->keysize + len > key->bufsize)
         len = (size_t)(key->bufsize - key->keysize);

-    for (i = 0; src[i] != '\0' && i < len; i++)
+    for (i = 0; i < len && src[i] != '\0'; i++)
         tgt[i] = case_adjust & src[i];
 }