mbedtls: fix CURLOPT_SSLCERT_BLOBbagder/mbedtls-ssl_cert_blob

The memory passed to mbedTLS for this needs to be null terminated. Reported-by: Florian Van Heghe
author: Daniel Stenberg <daniel@haxx.se> 2021-12-14 10:00:34 +0100
committer: Daniel Stenberg <daniel@haxx.se> 2021-12-14 10:00:34 +0100
commit: 0e87c373e13aebe4ce1f5970bb0166b34ed5c61e (patch)
tree: 3c91bae93f6f523ee957805f8f6df9dc7a0ac481
parent: f03cc1b7a693b03eddfed2b4c7f8b5fcba9a22e5 (diff)
download: curl-bagder/mbedtls-ssl_cert_blob.tar.gz
1 files changed, 10 insertions, 3 deletions
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index 7f1ff198c..e4d9b802a 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -381,10 +381,17 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
   }
 
   if(ssl_cert_blob) {
-    const unsigned char *blob_data =
-      (const unsigned char *)ssl_cert_blob->data;
-    ret = mbedtls_x509_crt_parse(&backend->clicert, blob_data,
+    /* Unfortunately, mbedtls_x509_crt_parse() requires the data to be null
+       terminated even when provided the exact length, forcing us to waste
+       extra memory here. */
+    unsigned char *newblob = malloc(ssl_cert_blob->len + 1);
+    if(!newblob)
+      return CURLE_OUT_OF_MEMORY;
+    memcpy(newblob, ssl_cert_blob->data, ssl_cert_blob->len);
+    newblob[ssl_cert_blob->len] = 0; /* null terminate */
+    ret = mbedtls_x509_crt_parse(&backend->clicert, newblob,
                                  ssl_cert_blob->len);
+    free(newblob);
 
     if(ret) {
       mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
author	Daniel Stenberg <daniel@haxx.se>	2021-12-14 10:00:34 +0100
committer	Daniel Stenberg <daniel@haxx.se>	2021-12-14 10:00:34 +0100
commit	0e87c373e13aebe4ce1f5970bb0166b34ed5c61e (patch)
tree	3c91bae93f6f523ee957805f8f6df9dc7a0ac481
parent	f03cc1b7a693b03eddfed2b4c7f8b5fcba9a22e5 (diff)
download	curl-bagder/mbedtls-ssl_cert_blob.tar.gz