From: Guido Vranken <guidovranken@gmail.com>
Date: Sat, 13 May 2017 10:37:50 +0000 (+0200)
Subject: Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
X-Git-Tag: v2.3.16~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=04c84548c2;p=thirdparty%2Fopenvpn.git

Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)

Trac: #890

Signed-off-by: Guido Vranken <guidovranken@gmail.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <CAO5O-EKGgpYAsJC5j+osB_LAteoUDbOwVYVqkB2=cA3a6VVHoA@mail.gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14649.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index 8374783ea..d64f83c91 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -285,11 +285,11 @@ x509_get_subject (X509 *cert, struct gc_arena *gc)
 
   BIO_get_mem_ptr (subject_bio, &subject_mem);
 
-  maxlen = subject_mem->length + 1;
-  subject = gc_malloc (maxlen, false, gc);
+  maxlen = subject_mem->length;
+  subject = gc_malloc (maxlen+1, false, gc);
 
   memcpy (subject, subject_mem->data, maxlen);
-  subject[maxlen - 1] = '\0';
+  subject[maxlen] = '\0';
 
 err:
   if (subject_bio)