[openssl-commits] [openssl] master update

Emilia Kasper emilia at openssl.org
Tue Sep 22 17:57:42 UTC 2015 

The branch master has been updated
       via  21b0fa91186ff1c1c3d956c0593ef4ac02521695 (commit)
       via  58e3457a82e8940ff36b36949f9c7a60e7614b2c (commit)
       via  de8883e11befde31d9b6cfbbd1fc017c365e0bbf (commit)
       via  110f7b37de9feecfb64950601cc7cec77cf6130b (commit)
      from  db9defdfe306e1adf0af7188b187d535eb0268da (commit)


- Log -----------------------------------------------------------------
commit 21b0fa91186ff1c1c3d956c0593ef4ac02521695
Author: Emilia Kasper <emilia at openssl.org>
Date:   Thu Sep 17 13:55:09 2015 +0200

    Document BUF_strnlen
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 58e3457a82e8940ff36b36949f9c7a60e7614b2c
Author: Emilia Kasper <emilia at openssl.org>
Date:   Thu Sep 17 13:50:34 2015 +0200

    BUF_strdup and friends: update docs
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit de8883e11befde31d9b6cfbbd1fc017c365e0bbf
Author: Emilia Kasper <emilia at openssl.org>
Date:   Thu Sep 17 13:27:05 2015 +0200

    BUF_strndup: tidy
    
    Fix comment, add another overflow check, tidy style
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 110f7b37de9feecfb64950601cc7cec77cf6130b
Author: Alessandro Ghedini <alessandro at ghedini.me>
Date:   Wed Sep 16 17:54:05 2015 +0200

    Make BUF_strndup() read-safe on arbitrary inputs
    
    BUF_strndup was calling strlen through BUF_strlcpy, and ended up reading
    past the input if the input was not a C string.
    
    Make it explicitly part of BUF_strndup's contract to never read more
    than |siz| input bytes. This augments the standard strndup contract to
    be safer.
    
    The commit also adds a check for siz overflow and some brief documentation
    for BUF_strndup().
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/buffer/buf_str.c  | 21 +++++++++++++-------
 doc/crypto/buffer.pod    | 51 +++++++++++++++++++++++++-----------------------
 include/openssl/buffer.h |  6 ++++++
 3 files changed, 47 insertions(+), 31 deletions(-)

diff --git a/crypto/buffer/buf_str.c b/crypto/buffer/buf_str.c
index 1e8d7f6..1f3e8a4 100644
--- a/crypto/buffer/buf_str.c
+++ b/crypto/buffer/buf_str.c
@@ -57,6 +57,7 @@
  */
 
 #include <stdio.h>
+#include <limits.h>
 #include "internal/cryptlib.h"
 #include <openssl/buffer.h>
 
@@ -72,7 +73,7 @@ size_t BUF_strnlen(const char *str, size_t maxlen)
 char *BUF_strdup(const char *str)
 {
     if (str == NULL)
-        return (NULL);
+        return NULL;
     return BUF_strndup(str, strlen(str));
 }
 
@@ -81,16 +82,22 @@ char *BUF_strndup(const char *str, size_t siz)
     char *ret;
 
     if (str == NULL)
-        return (NULL);
+        return NULL;
 
     siz = BUF_strnlen(str, siz);
 
+    if (siz >= INT_MAX)
+        return NULL;
+
     ret = OPENSSL_malloc(siz + 1);
     if (ret == NULL) {
         BUFerr(BUF_F_BUF_STRNDUP, ERR_R_MALLOC_FAILURE);
-        return (NULL);
+        return NULL;
     }
-    BUF_strlcpy(ret, str, siz + 1);
+
+    memcpy(ret, str, siz);
+    ret[siz] = '\0';
+
     return (ret);
 }
 
@@ -98,13 +105,13 @@ void *BUF_memdup(const void *data, size_t siz)
 {
     void *ret;
 
-    if (data == NULL)
-        return (NULL);
+    if (data == NULL || siz >= INT_MAX)
+        return NULL;
 
     ret = OPENSSL_malloc(siz);
     if (ret == NULL) {
         BUFerr(BUF_F_BUF_MEMDUP, ERR_R_MALLOC_FAILURE);
-        return (NULL);
+        return NULL;
     }
     return memcpy(ret, data, siz);
 }
diff --git a/doc/crypto/buffer.pod b/doc/crypto/buffer.pod
index c56cc89..d43518a 100644
--- a/doc/crypto/buffer.pod
+++ b/doc/crypto/buffer.pod
@@ -2,8 +2,11 @@
 
 =head1 NAME
 
-BUF_MEM_new, BUF_MEM_free, BUF_MEM_grow, BUF_strdup - simple
-character arrays structure
+BUF_MEM_new, BUF_MEM_new_ex, BUF_MEM_free, BUF_MEM_grow - simple
+character array structure
+
+BUF_strdup, BUF_strndup, BUF_memdup, BUF_strlcpy, BUF_strlcat -
+standard C library equivalents
 
 =head1 SYNOPSIS
 
@@ -13,31 +16,28 @@ character arrays structure
 
  #define BUF_MEM_FLAG_SECURE
 
- BUF_MEM * BUF_MEM_new_ex(unsigned long flags);
+ BUF_MEM *BUF_MEM_new_ex(unsigned long flags);
 
  void	BUF_MEM_free(BUF_MEM *a);
 
  int	BUF_MEM_grow(BUF_MEM *str, int len);
 
- char *	BUF_strdup(const char *str);
+ char *BUF_strdup(const char *str);
 
-=head1 DESCRIPTION
+ char *BUF_strndup(const char *str, size_t siz);
 
-The buffer library handles simple character arrays. Buffers are used for
-various purposes in the library, most notably memory BIOs.
+ void *BUF_memdup(const void *data, size_t siz);
+
+ size_t BUF_strlcpy(char *dst, const char *src, size_t size);
 
-The library uses the BUF_MEM structure defined in buffer.h:
+ size_t BUF_strlcat(char *dst, const char *src, size_t size);
 
- typedef struct buf_mem_st
- {
-        int length;     /* current number of bytes */
-        char *data;
-        int max;        /* size of buffer */
- } BUF_MEM;
+ size_t BUF_strnlen(const char *str, size_t maxlen);
 
-B<length> is the current size of the buffer in bytes, B<max> is the amount of
-memory allocated to the buffer. There are three functions which handle these
-and one "miscellaneous" function.
+=head1 DESCRIPTION
+
+The buffer library handles simple character arrays. Buffers are used for
+various purposes in the library, most notably memory BIOs.
 
 BUF_MEM_new() allocates a new buffer of zero size.
 
@@ -52,14 +52,17 @@ BUF_MEM_grow() changes the size of an already existing buffer to
 B<len>. Any data already in the buffer is preserved if it increases in
 size.
 
-BUF_strdup() copies a null terminated string into a block of allocated
-memory and returns a pointer to the allocated block.
-Unlike the standard C library strdup() this function uses OPENSSL_malloc() and so
-should be used in preference to the standard library strdup() because it can
-be used for memory leak checking or replacing the malloc() function.
+BUF_strdup(), BUF_strndup(), BUF_memdup(), BUF_strlcpy(),
+BUF_strlcat() and BUF_strnlen are equivalents of the standard C
+library functions. The dup() functions use OPENSSL_malloc() underneath
+and so should be used in preference to the standard library for memory
+leak checking or replacing the malloc() function.
+
+Memory allocated from these functions should be freed up using the
+OPENSSL_free() function.
 
-The memory allocated from BUF_strdup() should be freed up using the OPENSSL_free()
-function.
+BUF_strndup makes the explicit guarantee that it will never read past
+the first B<siz> bytes of B<str>.
 
 =head1 RETURN VALUES
 
diff --git a/include/openssl/buffer.h b/include/openssl/buffer.h
index af30a90..f22ed09 100644
--- a/include/openssl/buffer.h
+++ b/include/openssl/buffer.h
@@ -90,7 +90,13 @@ size_t BUF_MEM_grow(BUF_MEM *str, size_t len);
 size_t BUF_MEM_grow_clean(BUF_MEM *str, size_t len);
 size_t BUF_strnlen(const char *str, size_t maxlen);
 char *BUF_strdup(const char *str);
+
+/*
+ * Like strndup, but in addition, explicitly guarantees to never read past the
+ * first |siz| bytes of |str|.
+ */
 char *BUF_strndup(const char *str, size_t siz);
+
 void *BUF_memdup(const void *data, size_t siz);
 void BUF_reverse(unsigned char *out, unsigned char *in, size_t siz);

More information about the openssl-commits mailing list