Hello, While auditing the ACME client in 3.4-dev12, I noticed that acme_res_certificate() passes the raw httpclient response buffer to ssl_sock_load_pem_into_ckch(), which ends up calling BIO_new_mem_buf(buf, -1). With length -1, OpenSSL runs strlen() on the buffer, but the httpclient fills it via __b_putblk() and never writes a trailing NUL. That allows a malicious or compromised ACME CA to drive an out-of-bounds heap read past the response body, with two practical impacts: PEM-looking bytes lying in adjacent freed chunks may be loaded as additional intermediate certificates into the ckch_store, and an embedded NUL in the response silently truncates the installed certificate. The attached patch NUL-terminates the buffer at area[data] before handing it to the PEM loader, and fails cleanly if no room is left. I am not subscribed to the list -- please keep me in CC on any reply. Thanks, Omar
0001-BUG-MEDIUM-acme-NUL-terminate-response-buffer-before.patch
Description: Binary data
