From: deraadt <deraadt@openbsd.org>
Date: Fri, 18 Apr 2014 13:38:31 +0000 (+0000)
Subject: in CONF_get1_default_config_file(), don't calculate a buffer size,
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=1297a291c4cf71e11a01c38ced87848d0e516cc7;p=openbsd

in CONF_get1_default_config_file(), don't calculate a buffer size,
malloc it, do unbounded strlcpy's to it... but instead of asnprintf.
While there, let's put a '/' between the two path components!  Wonder
how old that bug is..
ok guenther
---

diff --git a/lib/libcrypto/conf/conf_mod.c b/lib/libcrypto/conf/conf_mod.c
index ca7b5e697a9..436f239b12e 100644
--- a/lib/libcrypto/conf/conf_mod.c
+++ b/lib/libcrypto/conf/conf_mod.c
@@ -543,27 +543,17 @@ void CONF_module_set_usr_data(CONF_MODULE *pmod, void *usr_data)
 
 /* Return default config file name */
 
-char *CONF_get1_default_config_file(void)
-	{
+char *
+CONF_get1_default_config_file(void)
+{
 	char *file;
-	int len;
 
 	file = getenv("OPENSSL_CONF");
 	if (file) 
 		return BUF_strdup(file);
-
-	len = strlen(X509_get_default_cert_area());
-	len += strlen(OPENSSL_CONF);
-
-	file = malloc(len + 1);
-
-	if (!file)
-		return NULL;
-	BUF_strlcpy(file,X509_get_default_cert_area(),len + 1);
-	BUF_strlcat(file,OPENSSL_CONF,len + 1);
-
+	asprintf(&file, "%s/openssl.cnf", X509_get_default_cert_area());
 	return file;
-	}
+}
 
 /* This function takes a list separated by 'sep' and calls the
  * callback function giving the start and length of each member
diff --git a/lib/libssl/src/crypto/conf/conf_mod.c b/lib/libssl/src/crypto/conf/conf_mod.c
index ca7b5e697a9..436f239b12e 100644
--- a/lib/libssl/src/crypto/conf/conf_mod.c
+++ b/lib/libssl/src/crypto/conf/conf_mod.c
@@ -543,27 +543,17 @@ void CONF_module_set_usr_data(CONF_MODULE *pmod, void *usr_data)
 
 /* Return default config file name */
 
-char *CONF_get1_default_config_file(void)
-	{
+char *
+CONF_get1_default_config_file(void)
+{
 	char *file;
-	int len;
 
 	file = getenv("OPENSSL_CONF");
 	if (file) 
 		return BUF_strdup(file);
-
-	len = strlen(X509_get_default_cert_area());
-	len += strlen(OPENSSL_CONF);
-
-	file = malloc(len + 1);
-
-	if (!file)
-		return NULL;
-	BUF_strlcpy(file,X509_get_default_cert_area(),len + 1);
-	BUF_strlcat(file,OPENSSL_CONF,len + 1);
-
+	asprintf(&file, "%s/openssl.cnf", X509_get_default_cert_area());
 	return file;
-	}
+}
 
 /* This function takes a list separated by 'sep' and calls the
  * callback function giving the start and length of each member