修正certstore_rpc_on_succ()中添加字符串结尾0导致内存越界的问题

1 files changed, 10 insertions, 6 deletions

diff --git a/platform/src/key_keeper.cpp b/platform/src/key_keeper.cpp
index c466092..b63ce58 100644
--- a/platform/src/key_keeper.cpp
+++ b/platform/src/key_keeper.cpp
@@ -218,7 +218,6 @@ static EVP_PKEY* transform_key_to_EVP(const char* str)
 
 static struct keyring_private* get_keyring_from_response(const char* data)
 {
-
 	X509* cert = NULL;
 	X509* chain_cert = NULL;
 	struct keyring_private* _kyr=NULL;
@@ -290,7 +289,6 @@ error_out:
 	if(key) EVP_PKEY_free(key);
  	if(chain) sk_X509_pop_free(chain, X509_free);
 	return NULL;
-
 }
 
 static long keyring_local_cache_query_cb(void * data, const uchar * key, uint size, void * user_arg)
@@ -335,17 +333,23 @@ static void certstore_rpc_on_succ(void* result, void* user)
 	struct tfe_rpc_response_result* response = tfe_rpc_release(result);
 	int status_code = response->status_code;
 	const char* status_msg = response->status_msg;
-	char* data = response->data;
-	size_t len = response->len;
+
 	if(status_code == HTTP_OK)
 	{
-		*(data+len) = '\0';
-		struct keyring_private* kyr= get_keyring_from_response(data);
+		/* Copy a buffer ending with zero */
+		char * data_as_string = (char *)malloc(response->len + 1);
+		memcpy(data_as_string, response->data, response->len);
+		data_as_string[response->len] = '\0';
+
+		struct keyring_private* kyr= get_keyring_from_response(data_as_string);
+		FREE(&data_as_string);
+
 		if(kyr == NULL)
 		{
 			promise_failed(p, FUTURE_ERROR_EXCEPTION, "get_keyring_from_response failed");
 			return;
 		}
+
 		if(!ctx->ref_keeper->no_cache)
 		{
 			keyring_ref_inc(kyr);