From 087b84e25df1d42f7e60c4322b1cbdd5c384c8f9 Mon Sep 17 00:00:00 2001
From: cheloha <cheloha@openbsd.org>
Date: Tue, 7 Dec 2021 04:01:45 +0000
Subject: [PATCH] lsearch(3): append key to array with memmove(3) instead of
 memcpy(3)

If the key overlaps the end of the array, memcpy(3) mutates the key
and copies a corrupted value into the end of the array.

If we use memmove(3) instead we at least end up with a clean copy of
the key at the end of the array.  This is closer to the intended
behavior.

With input from millert@ and deraadt@.

Thread: https://marc.info/?l=openbsd-tech&m=163880307403606&w=2

ok millert@
---
 lib/libc/stdlib/lsearch.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/lib/libc/stdlib/lsearch.c b/lib/libc/stdlib/lsearch.c
index 8cad05f5102..93e200e1bdb 100644
--- a/lib/libc/stdlib/lsearch.c
+++ b/lib/libc/stdlib/lsearch.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: lsearch.c,v 1.5 2014/07/18 04:16:09 matthew Exp $	*/
+/*	$OpenBSD: lsearch.c,v 1.6 2021/12/07 04:01:45 cheloha Exp $	*/
 
 /*
  * Copyright (c) 1989, 1993
@@ -79,6 +79,11 @@ linear_base(const void *key, const void *base, size_t *nelp, size_t width,
 	 * manual.
 	 */
 	++*nelp;
-	memcpy((void *)end, key, width);
+
+	/*
+	 * Use memmove(3) to ensure the key is copied cleanly into the
+	 * array, even if the key overlaps with the end of the array.
+	 */
+	memmove((void *)end, key, width);
 	return((void *)end);
 }
-- 
2.20.1