lsearch(3): append key to array with memmove(3) instead of memcpy(3)

If the key overlaps the end of the array, memcpy(3) mutates the key
and copies a corrupted value into the end of the array.

If we use memmove(3) instead we at least end up with a clean copy of
the key at the end of the array.  This is closer to the intended
behavior.

With input from millert@ and deraadt@.

Thread: https://marc.info/?l=openbsd-tech&m=163880307403606&w=2

ok millert@

diff --git a/lib/libc/stdlib/lsearch.c b/lib/libc/stdlib/lsearch.c
index 8cad05f..93e200e 100644 (file)
--- a/lib/libc/stdlib/lsearch.c
+++ b/lib/libc/stdlib/lsearch.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: lsearch.c,v 1.5 2014/07/18 04:16:09 matthew Exp $     */
+/*     $OpenBSD: lsearch.c,v 1.6 2021/12/07 04:01:45 cheloha Exp $     */
 
 /*
  * Copyright (c) 1989, 1993
@@ -79,6 +79,11 @@ linear_base(const void *key, const void *base, size_t *nelp, size_t width,
         * manual.
         */
        ++*nelp;
-       memcpy((void *)end, key, width);
+
+       /*
+        * Use memmove(3) to ensure the key is copied cleanly into the
+        * array, even if the key overlaps with the end of the array.
+        */
+       memmove((void *)end, key, width);
        return((void *)end);
 }