From e8dc64cbf55f0db42eb549dcb923d86a5634e1b4 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Tue, 29 Aug 2017 17:31:00 +0100 Subject: [PATCH] Add 1 to tmp buf size in x509_ocsp_info_certs() Add 1 to a temporary buffer in x509_ocsp_info_certs() which is used to construct the printing prefix to write an informational string of the OCSP response for the user. The additional element added to the buffer contains the \0 character. The missing element would cause a heap overread of 1 when concatenating the prefix string with itself. --- library/x509_ocsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/x509_ocsp.c b/library/x509_ocsp.c index fdf4d7998e..7bcc4464b0 100644 --- a/library/x509_ocsp.c +++ b/library/x509_ocsp.c @@ -1393,7 +1393,7 @@ static int x509_ocsp_info_certs( char **buf, size_t *size, const char *prefix, return( MBEDTLS_ERR_X509_ALLOC_FAILED ); /* Allocate a new buffer that will contain the prefix string twice */ - double_prefix = mbedtls_calloc( 1, prefix_len * 2 ); + double_prefix = mbedtls_calloc( 1, prefix_len * 2 + 1 ); if( double_prefix == NULL ) return( MBEDTLS_ERR_X509_ALLOC_FAILED );