mbedtls: fix CURLOPT_SSLCERT_BLOB

The memory passed to mbedTLS for this needs to be null terminated. Reported-by: Florian Van Heghe Closes #8146
author: Daniel Stenberg <daniel@haxx.se> 2021-12-14 10:00:34 +0100
committer: Daniel Stenberg <daniel@haxx.se> 2021-12-14 15:35:54 +0100
commit: 867ad1cd8bd6cfce3e9c76e802e9e343913e2594 (patch)
tree: 917691ed7c2bf277381b2da6467a44c943e7e97c
parent: 64e8bf9ff4670fbe5bde6f8eb4c9facc181fcae8 (diff)
download: curl-867ad1cd8bd6cfce3e9c76e802e9e343913e2594.tar.gz
1 files changed, 10 insertions, 3 deletions
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index 113eb9196..ac791e809 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -379,10 +379,17 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
   }
 
   if(ssl_cert_blob) {
-    const unsigned char *blob_data =
-      (const unsigned char *)ssl_cert_blob->data;
-    ret = mbedtls_x509_crt_parse(&backend->clicert, blob_data,
+    /* Unfortunately, mbedtls_x509_crt_parse() requires the data to be null
+       terminated even when provided the exact length, forcing us to waste
+       extra memory here. */
+    unsigned char *newblob = malloc(ssl_cert_blob->len + 1);
+    if(!newblob)
+      return CURLE_OUT_OF_MEMORY;
+    memcpy(newblob, ssl_cert_blob->data, ssl_cert_blob->len);
+    newblob[ssl_cert_blob->len] = 0; /* null terminate */
+    ret = mbedtls_x509_crt_parse(&backend->clicert, newblob,
                                  ssl_cert_blob->len);
+    free(newblob);
 
     if(ret) {
       mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
author	Daniel Stenberg <daniel@haxx.se>	2021-12-14 10:00:34 +0100
committer	Daniel Stenberg <daniel@haxx.se>	2021-12-14 15:35:54 +0100
commit	867ad1cd8bd6cfce3e9c76e802e9e343913e2594 (patch)
tree	917691ed7c2bf277381b2da6467a44c943e7e97c
parent	64e8bf9ff4670fbe5bde6f8eb4c9facc181fcae8 (diff)
download	curl-867ad1cd8bd6cfce3e9c76e802e9e343913e2594.tar.gz