From: Steffan Karger Date: Sun, 14 May 2017 19:00:41 +0000 (+0200) Subject: Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c) X-Git-Tag: v2.5_beta1~689 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3fbc9d2b1b1e75b227107057b92ce6b786b5bea1;p=thirdparty%2Fopenvpn.git Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c) This is the equivalent of the 2.3 patch (04c84548c2) by Guido Vranken, adjusted to code in the master and release/2.4 branches. Trac: #890 Signed-off-by: Steffan Karger Acked-by: Gert Doering Message-Id: <143540d4-e8ea-b533-ad1a-8ae33bfd1133@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14653.html Signed-off-by: Gert Doering --- diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 72eb3b0c6..9b1533bc9 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -315,7 +315,6 @@ x509_get_subject(X509 *cert, struct gc_arena *gc) BIO *subject_bio = NULL; BUF_MEM *subject_mem; char *subject = NULL; - int maxlen = 0; /* * Generate the subject string in OpenSSL proprietary format, @@ -346,11 +345,10 @@ x509_get_subject(X509 *cert, struct gc_arena *gc) BIO_get_mem_ptr(subject_bio, &subject_mem); - maxlen = subject_mem->length + 1; - subject = gc_malloc(maxlen, false, gc); + subject = gc_malloc(subject_mem->length + 1, false, gc); - memcpy(subject, subject_mem->data, maxlen); - subject[maxlen - 1] = '\0'; + memcpy(subject, subject_mem->data, subject_mem->length); + subject[subject_mem->length] = '\0'; err: if (subject_bio)