Commit 5aa290f0 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

Curl_ssl_push_certinfo_len: don't %.*s non-zero-terminated string 

Our own printf() replacement clearly can't properly handle %.*s with a
string that isn't zero terminated. Instead of fixing the printf code or
even figuring out what the proper posix behavior is, I reverted this
piece of the code back to the previous version where it does malloc +
memcpy instead.

Regression added in e839446c, released in curl 7.32.0.

Reported-by: Felix Yan
Bug: http://curl.haxx.se/bug/view.cgi?id=1295
parent f0831f79

lib/sslgen.c

+15 −2
Original line number Diff line number Diff line
@@ -611,6 +611,9 @@ int Curl_ssl_init_certinfo(struct SessionHandle * data, 
  return 0;

}



/*

 * 'value' is NOT a zero terminated string

 */

CURLcode Curl_ssl_push_certinfo_len(struct SessionHandle *data,

                                    int certnum,

                                    const char *label,
@@ -621,12 +624,22 @@ CURLcode Curl_ssl_push_certinfo_len(struct SessionHandle *data, 
  char * output;

  struct curl_slist * nl;

  CURLcode res = CURLE_OK;

  size_t labellen = strlen(label);

  size_t outlen = labellen + 1 + valuelen + 1; /* label:value\0 */



  /* Add an information record for a particular certificate. */

  output = curl_maprintf("%s:%.*s", label, valuelen, value);

  output = malloc(outlen);

  if(!output)

    return CURLE_OUT_OF_MEMORY;



  /* sprintf the label and colon */

  snprintf(output, outlen, "%s:", label);



  /* memcpy the value (it might not be zero terminated) */

  memcpy(&output[labellen+1], value, valuelen);



  /* zero terminate the output */

  output[labellen + 1 + valuelen] = 0;



  nl = Curl_slist_append_nodup(ci->certinfo[certnum], output);

  if(!nl) {

    free(output);