Prevent a very long password to buffer overflow the global variable we

use when built with a very old OpenSSL version.

diff --git a/lib/ssluse.c b/lib/ssluse.c
index adebde29425b87e0df53001408d0a95d105b7022..e7046221185ac3a984299088eec46d009b3ae05e 100644 (file)
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -261,7 +261,9 @@ int cert_stuff(struct connectdata *conn,
        * If password has been given, we store that in the global
        * area (*shudder*) for a while:
        */
-      strcpy(global_passwd, data->set.key_passwd);
+      size_t len = strlen(data->set.key_passwd);
+      if(len < sizeof(global_passwd))
+        memcpy(global_passwd, data->set.key_passwd, len+1);
 #else
       /*
        * We set the password in the callback userdata