strdup: don't allow Curl_strndup to read past a null terminator

- Use malloc + strncpy instead of Curl_memdup to dupe the string before
  null terminating it.

Prior to this change if Curl_strndup was passed a length longer than
the allocated string then it could copy out of bounds.

This change is for posterity. Curl_strndup was added in the parent
commit and currently none of the calls to it pass a length that would
cause it to read past the allocated length of the input.

Follow-up to d3b3ba35.

Closes https://github.com/curl/curl/pull/12254
This commit is contained in:
Jay Satiro 2023-11-02 18:56:06 -04:00
parent d3b3ba35a5
commit 4855debd8a

View File

@ -103,18 +103,20 @@ void *Curl_memdup(const void *src, size_t length)
*
* Curl_strndup(source, length)
*
* Copies the 'source' data to a newly allocated buffer (that is
* returned). Copies 'length' bytes then adds a null terminator.
* Copies the 'source' string to a newly allocated buffer (that is returned).
* Copies not more than 'length' bytes then adds a null terminator.
*
* Returns the new pointer or NULL on failure.
*
***************************************************************************/
void *Curl_strndup(const void *src, size_t length)
{
char *b = Curl_memdup(src, length + 1);
if(b)
b[length] = 0;
return b;
char *buf = malloc(length + 1);
if(!buf)
return NULL;
strncpy(buf, src, length);
buf[length] = 0;
return buf;
}
/***************************************************************************