From 5aa290f0f209f12130f7a1375c1b76af707e95f2 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 5 Nov 2013 09:56:18 +0100 Subject: Curl_ssl_push_certinfo_len: don't %.*s non-zero-terminated string Our own printf() replacement clearly can't properly handle %.*s with a string that isn't zero terminated. Instead of fixing the printf code or even figuring out what the proper posix behavior is, I reverted this piece of the code back to the previous version where it does malloc + memcpy instead. Regression added in e839446c2a5, released in curl 7.32.0. Reported-by: Felix Yan Bug: http://curl.haxx.se/bug/view.cgi?id=1295 --- lib/sslgen.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/lib/sslgen.c b/lib/sslgen.c index d2d0e303e..887b95ff4 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -611,6 +611,9 @@ int Curl_ssl_init_certinfo(struct SessionHandle * data, return 0; } +/* + * 'value' is NOT a zero terminated string + */ CURLcode Curl_ssl_push_certinfo_len(struct SessionHandle *data, int certnum, const char *label, @@ -621,12 +624,22 @@ CURLcode Curl_ssl_push_certinfo_len(struct SessionHandle *data, char * output; struct curl_slist * nl; CURLcode res = CURLE_OK; + size_t labellen = strlen(label); + size_t outlen = labellen + 1 + valuelen + 1; /* label:value\0 */ - /* Add an information record for a particular certificate. */ - output = curl_maprintf("%s:%.*s", label, valuelen, value); + output = malloc(outlen); if(!output) return CURLE_OUT_OF_MEMORY; + /* sprintf the label and colon */ + snprintf(output, outlen, "%s:", label); + + /* memcpy the value (it might not be zero terminated) */ + memcpy(&output[labellen+1], value, valuelen); + + /* zero terminate the output */ + output[labellen + 1 + valuelen] = 0; + nl = Curl_slist_append_nodup(ci->certinfo[certnum], output); if(!nl) { free(output); -- cgit v1.2.3