helpers.c: Fix undefined behavior in strndup()

Using strlen() or strdup() inside strndup() is problematic: if the input string is not null-terminated, these functions can read past the end of the buffer, which triggers undefined behavior. Rewrite the function to never read past the provided `maxlen` bound. Change-Id: Id34127024085879228626fbad59af03268ec5255 Signed-off-by: Xiang Wang <merle@hardenedliux.org> Reviewed-on: https://review.coreboot.org/c/flashrom/+/49741 Reviewed-by: Angel Pons <th3fanbus@gmail.com> Reviewed-by: Edward O'Callaghan <quasisec@chromium.org> Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-on: https://review.coreboot.org/c/flashrom/+/67870 Reviewed-by: Felix Singer <felixsinger@posteo.net>
2025-04-27 15:12:36 +02:00 · 2021-01-20 17:31:19 +08:00 · 2021-01-20 17:31:19 +08:00 · 5feb8cdb6f
commit 5feb8cdb6f
parent b822ce85aa
1 changed files with 9 additions and 8 deletions
--- a/helpers.c
+++ b/helpers.c
@ -106,15 +106,16 @@ char* strtok_r(char *str, const char *delim, char **nextp)
 /* strndup is a POSIX function not present in MinGW */
 char *strndup(const char *src, size_t maxlen)
 {
-	if (strlen(src) > maxlen) {
+	char *retbuf;
-		char *retbuf;
+	size_t len;
-		if ((retbuf = malloc(1 + maxlen)) != NULL) {
+	for (len = 0; len < maxlen; len++)
-			memcpy(retbuf, src, maxlen);
+		if (src[len] == '\0')
-			retbuf[maxlen] = '\0';
+			break;
-		}
+	if ((retbuf = malloc(1 + len)) != NULL) {
-		return retbuf;
+		memcpy(retbuf, src, len);
 		retbuf[len] = '\0';
 	}
-	return strdup(src);
+	return retbuf;
 }
 #endif