Make BUF_strndup() read-safe on arbitrary inputs

BUF_strndup was calling strlen through BUF_strlcpy, and ended up reading past the input if the input was not a C string. Make it explicitly part of BUF_strndup's contract to never read more than |siz| input bytes. This augments the standard strndup contract to be safer. The commit also adds a check for siz overflow and some brief documentation for BUF_strndup(). Reviewed-by: Matt Caswell <matt@openssl.org>
author: Alessandro Ghedini <alessandro@ghedini.me> 2015-09-16 17:54:05 +0200
committer: Emilia Kasper <emilia@openssl.org> 2015-09-22 19:50:53 +0200
commit: 110f7b37de9feecfb64950601cc7cec77cf6130b (patch)
tree: eb27f7cd046f401ccfbd97132c84240f231b00e3 /include
parent: db9defdfe306e1adf0af7188b187d535eb0268da (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/include/openssl/buffer.h b/include/openssl/buffer.h
index af30a90b86..61cff9ca36 100644
--- a/include/openssl/buffer.h
+++ b/include/openssl/buffer.h
@@ -90,7 +90,13 @@ size_t BUF_MEM_grow(BUF_MEM *str, size_t len);
 size_t BUF_MEM_grow_clean(BUF_MEM *str, size_t len);
 size_t BUF_strnlen(const char *str, size_t maxlen);
 char *BUF_strdup(const char *str);
+
+/*
+ * Returns a pointer to a new string which is a duplicate of the string |str|,
+ * but guarantees to never read past the first |siz| bytes of |str|.
+ */
 char *BUF_strndup(const char *str, size_t siz);
+
 void *BUF_memdup(const void *data, size_t siz);
 void BUF_reverse(unsigned char *out, unsigned char *in, size_t siz);
author	Alessandro Ghedini <alessandro@ghedini.me>	2015-09-16 17:54:05 +0200
committer	Emilia Kasper <emilia@openssl.org>	2015-09-22 19:50:53 +0200
commit	110f7b37de9feecfb64950601cc7cec77cf6130b (patch)
tree	eb27f7cd046f401ccfbd97132c84240f231b00e3 /include
parent	db9defdfe306e1adf0af7188b187d535eb0268da (diff)