Browse code
Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
This is the equivalent of the 2.3 patch (04c84548c2) by Guido Vranken,
adjusted to code in the master and release/2.4 branches.
Trac: #890
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <143540d4-e8ea-b533-ad1a-8ae33bfd1133@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14653.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger authored on 2017/05/15 04:00:41Showing 1 changed files
| ... | ... |
@@ -315,7 +315,6 @@ x509_get_subject(X509 *cert, struct gc_arena *gc) |
| 315 | 315 |
BIO *subject_bio = NULL; |
| 316 | 316 |
BUF_MEM *subject_mem; |
| 317 | 317 |
char *subject = NULL; |
| 318 |
- int maxlen = 0; |
|
| 319 | 318 |
|
| 320 | 319 |
/* |
| 321 | 320 |
* Generate the subject string in OpenSSL proprietary format, |
| ... | ... |
@@ -346,11 +345,10 @@ x509_get_subject(X509 *cert, struct gc_arena *gc) |
| 346 | 346 |
|
| 347 | 347 |
BIO_get_mem_ptr(subject_bio, &subject_mem); |
| 348 | 348 |
|
| 349 |
- maxlen = subject_mem->length + 1; |
|
| 350 |
- subject = gc_malloc(maxlen, false, gc); |
|
| 349 |
+ subject = gc_malloc(subject_mem->length + 1, false, gc); |
|
| 351 | 350 |
|
| 352 |
- memcpy(subject, subject_mem->data, maxlen); |
|
| 353 |
- subject[maxlen - 1] = '\0'; |
|
| 351 |
+ memcpy(subject, subject_mem->data, subject_mem->length); |
|
| 352 |
+ subject[subject_mem->length] = '\0'; |
|
| 354 | 353 |
|
| 355 | 354 |
err: |
| 356 | 355 |
if (subject_bio) |