From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 20 Sep 2025 20:49:46 +0000 (+0200)
Subject: openssl: make the asn1_object_dump name null terminated
X-Git-Tag: rc-8_17_0-1~308
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bb46d42407cd0503a9c499b4646af594a4db4947;p=thirdparty%2Fcurl.git

openssl: make the asn1_object_dump name null terminated

In case the buffer is too small.

Reported in Joshua's sarif data

Closes #18647
---

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 49bc02230b..4d37f5e77f 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -293,20 +293,10 @@ do {                              \
 } while(0)
 #endif
 
-static int asn1_object_dump(ASN1_OBJECT *a, char *buf, size_t len)
+static int asn1_object_dump(const ASN1_OBJECT *a, char *buf, size_t len)
 {
-  int i, ilen;
-
-  ilen = (int)len;
-  if(ilen < 0)
-    return 1; /* buffer too big */
-
-  i = i2t_ASN1_OBJECT(buf, ilen, a);
-
-  if(i >= ilen)
-    return 1; /* buffer too small */
-
-  return 0;
+  int i = i2t_ASN1_OBJECT(buf, (int)len, a);
+  return (i >= (int)len);  /* buffer too small */
 }
 
 static CURLcode X509V3_ext(struct Curl_easy *data,
@@ -337,7 +327,9 @@ static CURLcode X509V3_ext(struct Curl_easy *data,
 
     obj = X509_EXTENSION_get_object(ext);
 
-    asn1_object_dump(obj, namebuf, sizeof(namebuf));
+    if(asn1_object_dump(obj, namebuf, sizeof(namebuf)))
+      /* make sure the name is null-terminated */
+      namebuf [ sizeof(namebuf) - 1] = 0;
 
     if(!X509V3_EXT_print(bio_out, ext, 0, 0))
       ASN1_STRING_print(bio_out, (ASN1_STRING *)X509_EXTENSION_get_data(ext));