Nikos Mavrogiannopoulos nmav at
Tue Aug 4 07:23:28 CEST 2009

Simon Josefsson wrote:

>>    return 0;
>>  }
> Hi Nikos -- this code crashed the self-tests, but I fixed that.
> However, isn't this the wrong way to address the real problem?  It seems
> callers of the function should be fixed to be careful not to assume
> decoded data does not contain NULs?

A null byte there is really malicious (why would a string contain a null
byte?). Maybe using '?' is not the right solution, though. However I
don't think the callers of this function will be safe... even the
description of it says that the string will be null terminated :(
I'd suggest to use memcpy for the cases of the gnutls_str_cpy to avoid
having certificates that return a smaller DN value...

More information about the Gnutls-devel mailing list