Make BUF_strndup() read-safe on arbitrary inputs

BUF_strndup was calling strlen through BUF_strlcpy, and ended up reading past the input if the input was not a C string. Make it explicitly part of BUF_strndup's contract to never read more than |siz| input bytes. This augments the standard strndup contract to be safer. The commit also adds a check for siz overflow and some brief documentation for BUF_strndup(). Reviewed-by: Matt Caswell <matt@openssl.org>
author: Alessandro Ghedini <alessandro@ghedini.me> 2015-09-16 17:54:05 +0200
committer: Emilia Kasper <emilia@openssl.org> 2015-09-22 19:50:53 +0200
commit: 110f7b37de9feecfb64950601cc7cec77cf6130b (patch)
tree: eb27f7cd046f401ccfbd97132c84240f231b00e3 /crypto/buffer
parent: db9defdfe306e1adf0af7188b187d535eb0268da (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/crypto/buffer/buf_str.c b/crypto/buffer/buf_str.c
index 1e8d7f6f10..bca363c28e 100644
--- a/crypto/buffer/buf_str.c
+++ b/crypto/buffer/buf_str.c
@@ -57,6 +57,7 @@
  */
 
 #include <stdio.h>
+#include <limits.h>
 #include "internal/cryptlib.h"
 #include <openssl/buffer.h>
 
@@ -85,12 +86,18 @@ char *BUF_strndup(const char *str, size_t siz)
 
     siz = BUF_strnlen(str, siz);
 
+    if (siz >= INT_MAX)
+        return (NULL);
+
     ret = OPENSSL_malloc(siz + 1);
     if (ret == NULL) {
         BUFerr(BUF_F_BUF_STRNDUP, ERR_R_MALLOC_FAILURE);
         return (NULL);
     }
-    BUF_strlcpy(ret, str, siz + 1);
+
+    memcpy(ret, str, siz);
+    ret[siz] = '\0';
+
     return (ret);
 }
author	Alessandro Ghedini <alessandro@ghedini.me>	2015-09-16 17:54:05 +0200
committer	Emilia Kasper <emilia@openssl.org>	2015-09-22 19:50:53 +0200
commit	110f7b37de9feecfb64950601cc7cec77cf6130b (patch)
tree	eb27f7cd046f401ccfbd97132c84240f231b00e3 /crypto/buffer
parent	db9defdfe306e1adf0af7188b187d535eb0268da (diff)