From: Alessandro Ghedini Date: Wed, 16 Sep 2015 15:54:05 +0000 (+0200) Subject: Make BUF_strndup() read-safe on arbitrary inputs X-Git-Tag: OpenSSL_1_0_2e~76 X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=f61216ba9d17430fb5eb3e2b202a209960b9d51b;hp=c038e6b50497a4c63044a509e925a6eebff3e747 Make BUF_strndup() read-safe on arbitrary inputs BUF_strndup was calling strlen through BUF_strlcpy, and ended up reading past the input if the input was not a C string. Make it explicitly part of BUF_strndup's contract to never read more than |siz| input bytes. This augments the standard strndup contract to be safer. The commit also adds a check for siz overflow and some brief documentation for BUF_strndup(). Reviewed-by: Matt Caswell (cherry picked from commit 110f7b37de9feecfb64950601cc7cec77cf6130b) --- diff --git a/crypto/buffer/buf_str.c b/crypto/buffer/buf_str.c index ebc5ab4646..61024cf5ed 100644 --- a/crypto/buffer/buf_str.c +++ b/crypto/buffer/buf_str.c @@ -58,6 +58,7 @@ #include #include "cryptlib.h" +#include #include size_t BUF_strnlen(const char *str, size_t maxlen) @@ -85,12 +86,18 @@ char *BUF_strndup(const char *str, size_t siz) siz = BUF_strnlen(str, siz); + if (siz >= INT_MAX) + return (NULL); + ret = OPENSSL_malloc(siz + 1); if (ret == NULL) { BUFerr(BUF_F_BUF_STRNDUP, ERR_R_MALLOC_FAILURE); return (NULL); } - BUF_strlcpy(ret, str, siz + 1); + + memcpy(ret, str, siz); + ret[siz] = '\0'; + return (ret); } diff --git a/crypto/buffer/buffer.h b/crypto/buffer/buffer.h index c343dd772f..a05cee091f 100644 --- a/crypto/buffer/buffer.h +++ b/crypto/buffer/buffer.h @@ -86,7 +86,13 @@ int BUF_MEM_grow(BUF_MEM *str, size_t len); int BUF_MEM_grow_clean(BUF_MEM *str, size_t len); size_t BUF_strnlen(const char *str, size_t maxlen); char *BUF_strdup(const char *str); + +/* + * Returns a pointer to a new string which is a duplicate of the string |str|, + * but guarantees to never read past the first |siz| bytes of |str|. + */ char *BUF_strndup(const char *str, size_t siz); + void *BUF_memdup(const void *data, size_t siz); void BUF_reverse(unsigned char *out, const unsigned char *in, size_t siz);