BUF_strndup was calling strlen through BUF_strlcpy, and ended up reading
past the input if the input was not a C string.
Make it explicitly part of BUF_strndup's contract to never read more
than |siz| input bytes. This augments the standard strndup contract to
be safer.
The commit also adds a check for siz overflow and some brief documentation
for BUF_strndup().
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
110f7b37de9feecfb64950601cc7cec77cf6130b)
#include <stdio.h>
#include "cryptlib.h"
+#include <limits.h>
#include <openssl/buffer.h>
size_t BUF_strnlen(const char *str, size_t maxlen)
siz = BUF_strnlen(str, siz);
+ if (siz >= INT_MAX)
+ return (NULL);
+
ret = OPENSSL_malloc(siz + 1);
if (ret == NULL) {
BUFerr(BUF_F_BUF_STRNDUP, ERR_R_MALLOC_FAILURE);
return (NULL);
}
- BUF_strlcpy(ret, str, siz + 1);
+
+ memcpy(ret, str, siz);
+ ret[siz] = '\0';
+
return (ret);
}
int BUF_MEM_grow_clean(BUF_MEM *str, size_t len);
size_t BUF_strnlen(const char *str, size_t maxlen);
char *BUF_strdup(const char *str);
+
+/*
+ * Returns a pointer to a new string which is a duplicate of the string |str|,
+ * but guarantees to never read past the first |siz| bytes of |str|.
+ */
char *BUF_strndup(const char *str, size_t siz);
+
void *BUF_memdup(const void *data, size_t siz);
void BUF_reverse(unsigned char *out, const unsigned char *in, size_t siz);