From 5495eb5660952738d99af143df896cb3e1cc8c25 Mon Sep 17 00:00:00 2001
From: deraadt <>
Date: Fri, 18 Apr 2014 13:38:31 +0000
Subject: in CONF_get1_default_config_file(), don't calculate a buffer size,
 malloc it, do unbounded strlcpy's to it... but instead of asnprintf. While
 there, let's put a '/' between the two path components!  Wonder how old that
 bug is.. ok guenther

---
 src/lib/libcrypto/conf/conf_mod.c         | 20 +++++---------------
 src/lib/libssl/src/crypto/conf/conf_mod.c | 20 +++++---------------
 2 files changed, 10 insertions(+), 30 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/conf/conf_mod.c b/src/lib/libcrypto/conf/conf_mod.c
index ca7b5e697a..436f239b12 100644
--- a/src/lib/libcrypto/conf/conf_mod.c
+++ b/src/lib/libcrypto/conf/conf_mod.c
@@ -543,27 +543,17 @@ void CONF_module_set_usr_data(CONF_MODULE *pmod, void *usr_data)
 
 /* Return default config file name */
 
-char *CONF_get1_default_config_file(void)
-	{
+char *
+CONF_get1_default_config_file(void)
+{
 	char *file;
-	int len;
 
 	file = getenv("OPENSSL_CONF");
 	if (file) 
 		return BUF_strdup(file);
-
-	len = strlen(X509_get_default_cert_area());
-	len += strlen(OPENSSL_CONF);
-
-	file = malloc(len + 1);
-
-	if (!file)
-		return NULL;
-	BUF_strlcpy(file,X509_get_default_cert_area(),len + 1);
-	BUF_strlcat(file,OPENSSL_CONF,len + 1);
-
+	asprintf(&file, "%s/openssl.cnf", X509_get_default_cert_area());
 	return file;
-	}
+}
 
 /* This function takes a list separated by 'sep' and calls the
  * callback function giving the start and length of each member
diff --git a/src/lib/libssl/src/crypto/conf/conf_mod.c b/src/lib/libssl/src/crypto/conf/conf_mod.c
index ca7b5e697a..436f239b12 100644
--- a/src/lib/libssl/src/crypto/conf/conf_mod.c
+++ b/src/lib/libssl/src/crypto/conf/conf_mod.c
@@ -543,27 +543,17 @@ void CONF_module_set_usr_data(CONF_MODULE *pmod, void *usr_data)
 
 /* Return default config file name */
 
-char *CONF_get1_default_config_file(void)
-	{
+char *
+CONF_get1_default_config_file(void)
+{
 	char *file;
-	int len;
 
 	file = getenv("OPENSSL_CONF");
 	if (file) 
 		return BUF_strdup(file);
-
-	len = strlen(X509_get_default_cert_area());
-	len += strlen(OPENSSL_CONF);
-
-	file = malloc(len + 1);
-
-	if (!file)
-		return NULL;
-	BUF_strlcpy(file,X509_get_default_cert_area(),len + 1);
-	BUF_strlcat(file,OPENSSL_CONF,len + 1);
-
+	asprintf(&file, "%s/openssl.cnf", X509_get_default_cert_area());
 	return file;
-	}
+}
 
 /* This function takes a list separated by 'sep' and calls the
  * callback function giving the start and length of each member
-- 
cgit v1.2.3-55-g6feb