From a91c54de67312f4026db61fd2b0e98cbd11e5323 Mon Sep 17 00:00:00 2001 From: Steffan Karger Date: Sun, 14 May 2017 21:00:41 +0200 Subject: [PATCH] Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c) This is the equivalent of the 2.3 patch (04c84548c2) by Guido Vranken, adjusted to code in the master and release/2.4 branches. Trac: #890 Signed-off-by: Steffan Karger Acked-by: Gert Doering Message-Id: <143540d4-e8ea-b533-ad1a-8ae33bfd1133@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14653.html Signed-off-by: Gert Doering (cherry picked from commit 3fbc9d2b1b1e75b227107057b92ce6b786b5bea1) --- src/openvpn/ssl_verify_openssl.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 4906c7d3d..1dfd45a45 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -315,7 +315,6 @@ x509_get_subject(X509 *cert, struct gc_arena *gc) BIO *subject_bio = NULL; BUF_MEM *subject_mem; char *subject = NULL; - int maxlen = 0; /* * Generate the subject string in OpenSSL proprietary format, @@ -346,11 +345,10 @@ x509_get_subject(X509 *cert, struct gc_arena *gc) BIO_get_mem_ptr(subject_bio, &subject_mem); - maxlen = subject_mem->length + 1; - subject = gc_malloc(maxlen, false, gc); + subject = gc_malloc(subject_mem->length + 1, false, gc); - memcpy(subject, subject_mem->data, maxlen); - subject[maxlen - 1] = '\0'; + memcpy(subject, subject_mem->data, subject_mem->length); + subject[subject_mem->length] = '\0'; err: if (subject_bio) -- 2.47.2