The branch OpenSSL_1_0_1-stable has been updated
       via  456b9820ebaa7e9bfec8eec27326478cc0a3b0fa (commit)
       via  e56c77b8ee964b233137eea15b067eed1b1b44ea (commit)
       via  69051874889696c2064b556ad4614d2f3644258a (commit)
      from  9d1fcbebbc0b026c87f1ad37d47be2e87608ca11 (commit)


- Log -----------------------------------------------------------------
commit 456b9820ebaa7e9bfec8eec27326478cc0a3b0fa
Author: Emilia Kasper <emi...@openssl.org>
Date:   Thu Sep 17 13:50:34 2015 +0200

    BUF_strdup and friends: update docs
    
    Reviewed-by: Matt Caswell <m...@openssl.org>
    (cherry picked from commit 58e3457a82e8940ff36b36949f9c7a60e7614b2c)
    (cherry picked from commit be250ee2d353a9c8ed858bf8ca274d3107ae2f64)

commit e56c77b8ee964b233137eea15b067eed1b1b44ea
Author: Emilia Kasper <emi...@openssl.org>
Date:   Thu Sep 17 13:27:05 2015 +0200

    BUF_strndup: tidy
    
    Fix comment, add another overflow check, tidy style
    
    Reviewed-by: Matt Caswell <m...@openssl.org>
    (cherry picked from commit de8883e11befde31d9b6cfbbd1fc017c365e0bbf)
    (cherry picked from commit f5afe9ce3f7ab8d2fef460054d1170427db0d02c)

commit 69051874889696c2064b556ad4614d2f3644258a
Author: Alessandro Ghedini <alessan...@ghedini.me>
Date:   Wed Sep 16 17:54:05 2015 +0200

    Make BUF_strndup() read-safe on arbitrary inputs
    
    BUF_strndup was calling strlen through BUF_strlcpy, and ended up reading
    past the input if the input was not a C string.
    
    Make it explicitly part of BUF_strndup's contract to never read more
    than |siz| input bytes. This augments the standard strndup contract to
    be safer.
    
    The commit also adds a check for siz overflow and some brief documentation
    for BUF_strndup().
    
    Reviewed-by: Matt Caswell <m...@openssl.org>
    (cherry picked from commit 110f7b37de9feecfb64950601cc7cec77cf6130b)
    (cherry picked from commit f61216ba9d17430fb5eb3e2b202a209960b9d51b)

-----------------------------------------------------------------------

Summary of changes:
 crypto/buffer/buf_str.c | 21 ++++++++++++++-------
 crypto/buffer/buffer.h  |  6 ++++++
 doc/crypto/buffer.pod   | 47 ++++++++++++++++++++++++-----------------------
 3 files changed, 44 insertions(+), 30 deletions(-)

diff --git a/crypto/buffer/buf_str.c b/crypto/buffer/buf_str.c
index fdde3d7..233af24 100644
--- a/crypto/buffer/buf_str.c
+++ b/crypto/buffer/buf_str.c
@@ -58,12 +58,13 @@
 
 #include <stdio.h>
 #include "cryptlib.h"
+#include <limits.h>
 #include <openssl/buffer.h>
 
 char *BUF_strdup(const char *str)
 {
     if (str == NULL)
-        return (NULL);
+        return NULL;
     return BUF_strndup(str, strlen(str));
 }
 
@@ -72,14 +73,20 @@ char *BUF_strndup(const char *str, size_t siz)
     char *ret;
 
     if (str == NULL)
-        return (NULL);
+        return NULL;
+
+    if (siz >= INT_MAX)
+        return NULL;
 
     ret = OPENSSL_malloc(siz + 1);
     if (ret == NULL) {
         BUFerr(BUF_F_BUF_STRNDUP, ERR_R_MALLOC_FAILURE);
-        return (NULL);
+        return NULL;
     }
-    BUF_strlcpy(ret, str, siz + 1);
+
+    memcpy(ret, str, siz);
+    ret[siz] = '\0';
+
     return (ret);
 }
 
@@ -87,13 +94,13 @@ void *BUF_memdup(const void *data, size_t siz)
 {
     void *ret;
 
-    if (data == NULL)
-        return (NULL);
+    if (data == NULL || siz >= INT_MAX)
+        return NULL;
 
     ret = OPENSSL_malloc(siz);
     if (ret == NULL) {
         BUFerr(BUF_F_BUF_MEMDUP, ERR_R_MALLOC_FAILURE);
-        return (NULL);
+        return NULL;
     }
     return memcpy(ret, data, siz);
 }
diff --git a/crypto/buffer/buffer.h b/crypto/buffer/buffer.h
index 632df93..89183ad 100644
--- a/crypto/buffer/buffer.h
+++ b/crypto/buffer/buffer.h
@@ -85,7 +85,13 @@ void BUF_MEM_free(BUF_MEM *a);
 int BUF_MEM_grow(BUF_MEM *str, size_t len);
 int BUF_MEM_grow_clean(BUF_MEM *str, size_t len);
 char *BUF_strdup(const char *str);
+
+/*
+ * Like strndup, but in addition, explicitly guarantees to never read past the
+ * first |siz| bytes of |str|.
+ */
 char *BUF_strndup(const char *str, size_t siz);
+
 void *BUF_memdup(const void *data, size_t siz);
 void BUF_reverse(unsigned char *out, const unsigned char *in, size_t siz);
 
diff --git a/doc/crypto/buffer.pod b/doc/crypto/buffer.pod
index 781f5b1..9d6de53 100644
--- a/doc/crypto/buffer.pod
+++ b/doc/crypto/buffer.pod
@@ -2,8 +2,11 @@
 
 =head1 NAME
 
-BUF_MEM_new, BUF_MEM_free, BUF_MEM_grow, BUF_strdup - simple
-character arrays structure
+BUF_MEM_new, BUF_MEM_new_ex, BUF_MEM_free, BUF_MEM_grow - simple
+character array structure
+
+BUF_strdup, BUF_strndup, BUF_memdup, BUF_strlcpy, BUF_strlcat -
+standard C library equivalents
 
 =head1 SYNOPSIS
 
@@ -15,25 +18,20 @@ character arrays structure
 
  int   BUF_MEM_grow(BUF_MEM *str, int len);
 
- char *        BUF_strdup(const char *str);
+ char *BUF_strdup(const char *str);
 
-=head1 DESCRIPTION
+ char *BUF_strndup(const char *str, size_t siz);
 
-The buffer library handles simple character arrays. Buffers are used for
-various purposes in the library, most notably memory BIOs.
+ void *BUF_memdup(const void *data, size_t siz);
 
-The library uses the BUF_MEM structure defined in buffer.h:
+ size_t BUF_strlcpy(char *dst, const char *src, size_t size);
 
- typedef struct buf_mem_st
- {
-        int length;     /* current number of bytes */
-        char *data;
-        int max;        /* size of buffer */
- } BUF_MEM;
+ size_t BUF_strlcat(char *dst, const char *src, size_t size);
 
-B<length> is the current size of the buffer in bytes, B<max> is the amount of
-memory allocated to the buffer. There are three functions which handle these
-and one "miscellaneous" function.
+=head1 DESCRIPTION
+
+The buffer library handles simple character arrays. Buffers are used for
+various purposes in the library, most notably memory BIOs.
 
 BUF_MEM_new() allocates a new buffer of zero size.
 
@@ -44,14 +42,17 @@ BUF_MEM_grow() changes the size of an already existing 
buffer to
 B<len>. Any data already in the buffer is preserved if it increases in
 size.
 
-BUF_strdup() copies a null terminated string into a block of allocated
-memory and returns a pointer to the allocated block.
-Unlike the standard C library strdup() this function uses OPENSSL_malloc() and 
so
-should be used in preference to the standard library strdup() because it can
-be used for memory leak checking or replacing the malloc() function.
+BUF_strdup(), BUF_strndup(), BUF_memdup(), BUF_strlcpy() and
+BUF_strlcat() are equivalents of the standard C library functions. The
+dup() functions use OPENSSL_malloc() underneath and so should be used
+in preference to the standard library for memory leak checking or
+replacing the malloc() function.
+
+Memory allocated from these functions should be freed up using the
+OPENSSL_free() function.
 
-The memory allocated from BUF_strdup() should be freed up using the 
OPENSSL_free()
-function.
+BUF_strndup makes the explicit guarantee that it will never read past
+the first B<siz> bytes of B<str>.
 
 =head1 RETURN VALUES
 
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

Reply via email to