From 4855debd8a2c1cbd0b0dbbb8319b1743c4644873 Mon Sep 17 00:00:00 2001 From: Jay Satiro Date: Thu, 2 Nov 2023 18:56:06 -0400 Subject: [PATCH] strdup: don't allow Curl_strndup to read past a null terminator - Use malloc + strncpy instead of Curl_memdup to dupe the string before null terminating it. Prior to this change if Curl_strndup was passed a length longer than the allocated string then it could copy out of bounds. This change is for posterity. Curl_strndup was added in the parent commit and currently none of the calls to it pass a length that would cause it to read past the allocated length of the input. Follow-up to d3b3ba35. Closes https://github.com/curl/curl/pull/12254 --- lib/strdup.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/lib/strdup.c b/lib/strdup.c index 5336da7c6..ea2b6d0c0 100644 --- a/lib/strdup.c +++ b/lib/strdup.c @@ -103,18 +103,20 @@ void *Curl_memdup(const void *src, size_t length) * * Curl_strndup(source, length) * - * Copies the 'source' data to a newly allocated buffer (that is - * returned). Copies 'length' bytes then adds a null terminator. + * Copies the 'source' string to a newly allocated buffer (that is returned). + * Copies not more than 'length' bytes then adds a null terminator. * * Returns the new pointer or NULL on failure. * ***************************************************************************/ void *Curl_strndup(const void *src, size_t length) { - char *b = Curl_memdup(src, length + 1); - if(b) - b[length] = 0; - return b; + char *buf = malloc(length + 1); + if(!buf) + return NULL; + strncpy(buf, src, length); + buf[length] = 0; + return buf; } /***************************************************************************