diff options
author | Alessandro Ghedini <alessandro@ghedini.me> | 2015-09-16 17:54:05 +0200 |
---|---|---|
committer | Emilia Kasper <emilia@openssl.org> | 2015-09-22 19:50:53 +0200 |
commit | 110f7b37de9feecfb64950601cc7cec77cf6130b (patch) | |
tree | eb27f7cd046f401ccfbd97132c84240f231b00e3 /crypto/buffer | |
parent | db9defdfe306e1adf0af7188b187d535eb0268da (diff) |
Make BUF_strndup() read-safe on arbitrary inputs
BUF_strndup was calling strlen through BUF_strlcpy, and ended up reading
past the input if the input was not a C string.
Make it explicitly part of BUF_strndup's contract to never read more
than |siz| input bytes. This augments the standard strndup contract to
be safer.
The commit also adds a check for siz overflow and some brief documentation
for BUF_strndup().
Reviewed-by: Matt Caswell <matt@openssl.org>
Diffstat (limited to 'crypto/buffer')
-rw-r--r-- | crypto/buffer/buf_str.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/crypto/buffer/buf_str.c b/crypto/buffer/buf_str.c index 1e8d7f6f10..bca363c28e 100644 --- a/crypto/buffer/buf_str.c +++ b/crypto/buffer/buf_str.c @@ -57,6 +57,7 @@ */ #include <stdio.h> +#include <limits.h> #include "internal/cryptlib.h" #include <openssl/buffer.h> @@ -85,12 +86,18 @@ char *BUF_strndup(const char *str, size_t siz) siz = BUF_strnlen(str, siz); + if (siz >= INT_MAX) + return (NULL); + ret = OPENSSL_malloc(siz + 1); if (ret == NULL) { BUFerr(BUF_F_BUF_STRNDUP, ERR_R_MALLOC_FAILURE); return (NULL); } - BUF_strlcpy(ret, str, siz + 1); + + memcpy(ret, str, siz); + ret[siz] = '\0'; + return (ret); } |