lsearch(3): append key to array with memmove(3) instead of memcpy(3)

If the key overlaps the end of the array, memcpy(3) mutates the key
and copies a corrupted value into the end of the array.

If we use memmove(3) instead we at least end up with a clean copy of
the key at the end of the array.  This is closer to the intended
behavior.

With input from millert@ and deraadt@.

Thread: https://marc.info/?l=openbsd-tech&m=163880307403606&w=2

ok millert@

1 files changed, 7 insertions, 2 deletions

diff --git a/src/lib/libc/stdlib/lsearch.c b/src/lib/libc/stdlib/lsearch.c
index 8cad05f510..93e200e1bd 100644
--- a/src/lib/libc/stdlib/lsearch.c
+++ b/src/lib/libc/stdlib/lsearch.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: lsearch.c,v 1.5 2014/07/18 04:16:09 matthew Exp $     */
+/*      $OpenBSD: lsearch.c,v 1.6 2021/12/07 04:01:45 cheloha Exp $     */
 
 /*
  * Copyright (c) 1989, 1993
@@ -79,6 +79,11 @@ linear_base(const void *key, const void *base, size_t *nelp, size_t width,
          * manual.
          */
         ++*nelp;
-        memcpy((void *)end, key, width);
+
+        /*
+         * Use memmove(3) to ensure the key is copied cleanly into the
+         * array, even if the key overlaps with the end of the array.
+         */
+        memmove((void *)end, key, width);
         return((void *)end);
 }