Fix string_copyn() for limit greater than actual string length

Broken-by: a76d120aed

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 82bac62b9468f5d71971350b4fa56320b69df390..d492a62b73620b57d9f3baa2c9ef1187b522d20c 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -131,6 +131,11 @@ JH/29 TLS resumption: the key for session lookup in the client now includes
       session, avoiding oferring mismatching sessions to such a server.
       Previously only the server IP was used.
 
+JH/30 Fix string_copyn() for limit greater than actual string length.
+      Previously the copied amount was the limit, which could result in a
+      overlapping memcpy for newly allocated destination soon after a
+      source string shorter than the limit.  Found/investigated  by KM.
+
 
 Exim version 4.95
 -----------------

diff --git a/src/src/functions.h b/src/src/functions.h
index f8e0cd77e3be5c3f0e087832b4d32a47dc8b6e09..07df8755b33f6f81da05a8c4a94bcc6a17d93294 100644 (file)
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -788,7 +788,10 @@ static inline uschar *
 string_copyn_taint_trc(const uschar * s, unsigned len,
        const void * proto_mem, const char * func, int line)
 {
-uschar * ss = store_get_3(len + 1, proto_mem, func, line);
+uschar * ss;
+unsigned slen = Ustrlen(s);
+if (len > slen) len = slen;
+ss = store_get_3(len + 1, proto_mem, func, line);
 memcpy(ss, s, len);
 ss[len] = '\0';
 return ss;