Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)

This is the equivalent of the 2.3 patch (04c84548c2) by Guido Vranken,
adjusted to code in the master and release/2.4 branches.

Trac: #890

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <143540d4-e8ea-b533-ad1a-8ae33bfd1133@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14653.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index 72eb3b0c61cfdcead978fd8851033cb5a1003079..9b1533bc9bc370c5da864e3f9796608ca64562b9 100644 (file)
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -315,7 +315,6 @@ x509_get_subject(X509 *cert, struct gc_arena *gc)
     BIO *subject_bio = NULL;
     BUF_MEM *subject_mem;
     char *subject = NULL;
-    int maxlen = 0;
 
     /*
      * Generate the subject string in OpenSSL proprietary format,
@@ -346,11 +345,10 @@ x509_get_subject(X509 *cert, struct gc_arena *gc)
 
     BIO_get_mem_ptr(subject_bio, &subject_mem);
 
-    maxlen = subject_mem->length + 1;
-    subject = gc_malloc(maxlen, false, gc);
+    subject = gc_malloc(subject_mem->length + 1, false, gc);
 
-    memcpy(subject, subject_mem->data, maxlen);
-    subject[maxlen - 1] = '\0';
+    memcpy(subject, subject_mem->data, subject_mem->length);
+    subject[subject_mem->length] = '\0';
 
 err:
     if (subject_bio)