Make BUF_strndup() read-safe on arbitrary inputs

BUF_strndup was calling strlen through BUF_strlcpy, and ended up reading past the input if the input was not a C string. Make it explicitly part of BUF_strndup's contract to never read more than |siz| input bytes. This augments the standard strndup contract to be safer. The commit also adds a check for siz overflow and some brief documentation for BUF_strndup(). Reviewed-by: Matt Caswell <matt@openssl.org>
2015-09-16 17:54:05 +02:00 · 2015-09-16 17:54:05 +02:00 · 110f7b37de
commit 110f7b37de
parent db9defdfe3
2 changed files with 14 additions and 1 deletions
--- a/crypto/buffer/buf_str.c
+++ b/crypto/buffer/buf_str.c
@ -57,6 +57,7 @@
 */

 #include <stdio.h>
+#include <limits.h>
 #include "internal/cryptlib.h"
 #include <openssl/buffer.h>

@ -85,12 +86,18 @@ char *BUF_strndup(const char *str, size_t siz)

    siz = BUF_strnlen(str, siz);

+    if (siz >= INT_MAX)
+        return (NULL);
+
    ret = OPENSSL_malloc(siz + 1);
    if (ret == NULL) {
        BUFerr(BUF_F_BUF_STRNDUP, ERR_R_MALLOC_FAILURE);
        return (NULL);
    }
-    BUF_strlcpy(ret, str, siz + 1);
+
+    memcpy(ret, str, siz);
+    ret[siz] = '\0';
+
    return (ret);
 }

--- a/include/openssl/buffer.h
+++ b/include/openssl/buffer.h
@ -90,7 +90,13 @@ size_t BUF_MEM_grow(BUF_MEM *str, size_t len);
 size_t BUF_MEM_grow_clean(BUF_MEM *str, size_t len);
 size_t BUF_strnlen(const char *str, size_t maxlen);
 char *BUF_strdup(const char *str);
+
+/*
+ * Returns a pointer to a new string which is a duplicate of the string |str|,
+ * but guarantees to never read past the first |siz| bytes of |str|.
+ */
 char *BUF_strndup(const char *str, size_t siz);
+
 void *BUF_memdup(const void *data, size_t siz);
 void BUF_reverse(unsigned char *out, unsigned char *in, size_t siz);