diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2021-12-14 09:34:46 +0100 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2021-12-14 11:52:14 +0100 |
| commit | 9d0d16d43542e341ec85acae82dca35855327cb0 (patch) | |
| tree | 1203f4badb674358b1927d4d7332510a12db7d4a | |
| parent | f03cc1b7a693b03eddfed2b4c7f8b5fcba9a22e5 (diff) | |
| download | curl-9d0d16d43542e341ec85acae82dca35855327cb0.tar.gz | |
mbedtls: do a separate malloc for ca_info_blob
Since the mbedTLS API requires the data to the null terminated.
Follow-up to 456c53730d21b1fad0c7f72c1817
Fixes #8139
Closes #8145
| -rw-r--r-- | lib/vtls/mbedtls.c | 36 |
1 files changed, 17 insertions, 19 deletions
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index 7f1ff198c..113eb9196 100644 --- a/lib/vtls/mbedtls.c +++ b/lib/vtls/mbedtls.c @@ -319,36 +319,34 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, /* Load the trusted CA */ mbedtls_x509_crt_init(&backend->cacert); - if(ca_info_blob) { - unsigned char *blob_data = (unsigned char *)ca_info_blob->data; - - /* mbedTLS expects the terminating NULL byte to be included in the length - of the data */ - size_t blob_data_len = ca_info_blob->len + 1; - - ret = mbedtls_x509_crt_parse(&backend->cacert, blob_data, - blob_data_len); - + if(ca_info_blob && verifypeer) { + /* Unfortunately, mbedtls_x509_crt_parse() requires the data to be null + terminated even when provided the exact length, forcing us to waste + extra memory here. */ + unsigned char *newblob = malloc(ca_info_blob->len + 1); + if(!newblob) + return CURLE_OUT_OF_MEMORY; + memcpy(newblob, ca_info_blob->data, ca_info_blob->len); + newblob[ca_info_blob->len] = 0; /* null terminate */ + ret = mbedtls_x509_crt_parse(&backend->cacert, newblob, + ca_info_blob->len + 1); + free(newblob); if(ret<0) { mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); - failf(data, "Error importing ca cert blob %s - mbedTLS: (-0x%04X) %s", - ca_info_blob, -ret, errorbuf); - - if(verifypeer) - return ret; + failf(data, "Error importing ca cert blob - mbedTLS: (-0x%04X) %s", + -ret, errorbuf); + return ret; } } - if(ssl_cafile) { + if(ssl_cafile && verifypeer) { ret = mbedtls_x509_crt_parse_file(&backend->cacert, ssl_cafile); if(ret<0) { mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); failf(data, "Error reading ca cert file %s - mbedTLS: (-0x%04X) %s", ssl_cafile, -ret, errorbuf); - - if(verifypeer) - return CURLE_SSL_CACERT_BADFILE; + return CURLE_SSL_CACERT_BADFILE; } } |