Don't read past the end of the string in BUF_strndup. BUF_strlcpy still assumes |src| is a NUL-terminated string and will call strlen on it to determine the actual length. BUF_strndup's input need not be NUL-terminated. Change-Id: I9ca95e92533d12f1b0283412249bda4f8cf92433 Reviewed-on: https://boringssl-review.googlesource.com/1997 Reviewed-by: Adam Langley <agl@google.com>

commit: 721e6e1500de6741ebf73269e2dc6547a0236bdd [log] [tgz]
author: David Benjamin <davidben@chromium.org> Sun Oct 19 04:31:47 2014 -0400
committer: Adam Langley <agl@google.com> Mon Oct 20 20:07:02 2014 +0000
tree: 9b887e070b7af5063ad1df0b494e8c670fce999a
parent: b698617007b3b2048c052ef714e4fe48a175b3c4 [diff]
diff --git a/crypto/buf/buf.c b/crypto/buf/buf.c
index 94bbeaf..3fd822e 100644
--- a/crypto/buf/buf.c
+++ b/crypto/buf/buf.c

@@ -187,7 +187,8 @@
     return NULL;
   }
 
-  BUF_strlcpy(ret, buf, alloc_size);
+  memcpy(ret, buf, size);
+  ret[size] = '\0';
   return ret;
 }
commit	721e6e1500de6741ebf73269e2dc6547a0236bdd	[log] [tgz]
author	David Benjamin <davidben@chromium.org>	Sun Oct 19 04:31:47 2014 -0400
committer	Adam Langley <agl@google.com>	Mon Oct 20 20:07:02 2014 +0000
tree	9b887e070b7af5063ad1df0b494e8c670fce999a
parent	b698617007b3b2048c052ef714e4fe48a175b3c4 [diff]