memcpy and terminate from openssl buffers

The memcpy is used instead of snprintf as the source data may not be null terminated and was causing OpenBSD to segfault.
2014-09-03 14:27:25 +01:00 · 2014-09-03 14:27:25 +01:00 · c695d3d007
parent 5492e96793
commit c695d3d007
1 changed files with 23 additions and 18 deletions
--- a/content/fetchers/curl.c
+++ b/content/fetchers/curl.c
@ -921,10 +921,12 @@ void fetch_curl_done(CURL *curl_handle, CURLcode result)
 			BIO_get_mem_ptr(mem, &buf);
 			(void) BIO_set_close(mem, BIO_NOCLOSE);
 			BIO_free(mem);
-			snprintf(ssl_certs[i].not_before,
-					min(sizeof ssl_certs[i].not_before,
-						(unsigned) buf->length + 1),
-					"%s", buf->data);
+			memcpy(ssl_certs[i].not_before,
+			       buf->data,
+			       min(sizeof(ssl_certs[i].not_before) - 1,
+				   (unsigned)buf->length));
+			ssl_certs[i].not_before[min(sizeof(ssl_certs[i].not_before) - 1,
+						    (unsigned)buf->length)] = 0;
 			BUF_MEM_free(buf);

 			mem = BIO_new(BIO_s_mem());
@ -933,10 +935,13 @@ void fetch_curl_done(CURL *curl_handle, CURLcode result)
 			BIO_get_mem_ptr(mem, &buf);
 			(void) BIO_set_close(mem, BIO_NOCLOSE);
 			BIO_free(mem);
-			snprintf(ssl_certs[i].not_after,
-					min(sizeof ssl_certs[i].not_after,
-						(unsigned) buf->length + 1),
-					"%s", buf->data);
+			memcpy(ssl_certs[i].not_after,
+			       buf->data,
+			       min(sizeof(ssl_certs[i].not_after) - 1,
+				   (unsigned)buf->length));
+			ssl_certs[i].not_after[min(sizeof(ssl_certs[i].not_after) - 1,
+						 (unsigned)buf->length)] = 0;
+
 			BUF_MEM_free(buf);

 			ssl_certs[i].sig_type =
@ -952,11 +957,11 @@ void fetch_curl_done(CURL *curl_handle, CURLcode result)
 			BIO_get_mem_ptr(mem, &buf);
 			(void) BIO_set_close(mem, BIO_NOCLOSE);
 			BIO_free(mem);
-			snprintf(ssl_certs[i].issuer,
-				 min(sizeof ssl_certs[i].issuer - 1,
-				     (unsigned) buf->length + 1),
-				 "%s", buf->data);
-			ssl_certs[i].issuer[min(sizeof ssl_certs[i].issuer,
+			memcpy(ssl_certs[i].issuer,
+			       buf->data,
+			       min(sizeof(ssl_certs[i].issuer) - 1,
+				   (unsigned) buf->length));
+			ssl_certs[i].issuer[min(sizeof(ssl_certs[i].issuer) - 1,
 						(unsigned) buf->length)] = 0;
 			BUF_MEM_free(buf);

@ -970,11 +975,11 @@ void fetch_curl_done(CURL *curl_handle, CURLcode result)
 			BIO_get_mem_ptr(mem, &buf);
 			(void) BIO_set_close(mem, BIO_NOCLOSE);
 			BIO_free(mem);
-			snprintf(ssl_certs[i].subject,
-				 min(sizeof(ssl_certs[i].subject) - 1,
-				     (unsigned) buf->length + 1),
-					"%s", buf->data);
-			ssl_certs[i].subject[min(sizeof(ssl_certs[i].subject),
+			memcpy(ssl_certs[i].subject,
+			       buf->data,
+			       min(sizeof(ssl_certs[i].subject) - 1,
+				   (unsigned)buf->length));
+			ssl_certs[i].subject[min(sizeof(ssl_certs[i].subject) - 1,
 						 (unsigned) buf->length)] = 0;
 			BUF_MEM_free(buf);