From 2b4be69eee372e1010af2302e82c3d0cf1d875e9 Mon Sep 17 00:00:00 2001
From: Michael Brown <mcb30@ipxe.org>
Date: Sun, 18 May 2014 21:05:39 +0100
Subject: [libc] Prevent strndup() from reading beyond the end of the string

strndup() may be called on a string which is not NUL-terminated.  Use
strnlen() instead of strlen() to ensure that we do not read beyond the
end of such a string.

Add self-tests for strndup(), including a test case with an
unterminated string.

Originally-fixed-by: Marin Hannache <git@mareo.fr>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
 src/core/string.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

(limited to 'src/core')

diff --git a/src/core/string.c b/src/core/string.c
index 190007a4..e53c283c 100644
--- a/src/core/string.c
+++ b/src/core/string.c
@@ -337,11 +337,9 @@ void * memchr(const void *s, int c, size_t n)
 
 char * strndup(const char *s, size_t n)
 {
-        size_t len = strlen(s);
+        size_t len = strnlen(s,n);
         char *new;
 
-        if (len>n)
-                len = n;
         new = malloc(len+1);
         if (new) {
                 new[len] = '\0';
-- 
cgit