fix bNetStr2Bstr: replace strlen with strnlen, cap digit-loop iterations

strlen(buff) scanned until a null terminator regardless of buffer
content, creating an OOB read risk on buffers that are not properly
null-terminated (e.g. data read directly from a network socket).

Two hardening changes, without breaking the API:

1. Cap the digit-parsing loop at 11 iterations (INT_MAX is 10 decimal
   digits). Add a post-loop check that ':' was actually found, so a
   buffer with no ':' in the first 11 bytes returns NULL immediately
   rather than scanning indefinitely.
2. Replace strlen with strnlen(buff, i + 2 + x), limiting the scan to
   exactly the number of bytes a valid netstring of the claimed length
   requires. An unterminated or truncated buffer is still caught by the
   existing bounds check; the scan is now bounded rather than open-ended.

Residual limitation: without a length parameter the caller cannot
provide an absolute bound, so strnlen may still scan up to x bytes
into the data region for large x. A future bNetStr2BstrN(buff, len)
variant would fully eliminate this.

Author: rdmark

bstring/bstraux.c

@@ -310,15 +310,19 @@ bNetStr2Bstr(const char * buff)
 	if (buff == NULL) {
 		return NULL;
 	}
-	size_t blen = strlen(buff);
 	x = 0;
-	for (i = 0; buff[i] != ':'; ++i) {
+	for (i = 0; i < 11 && buff[i] != ':'; ++i) {
 		unsigned int v = buff[i] - '0';
 		if (v > 9 || x > ((INT_MAX - (signed int)v) / 10)) {
 			return NULL;
 		}
 		x = (x * 10) + v;
 	}
+	if (buff[i] != ':') {
+		return NULL;
+	}
+	/* strnlen with exact bound: only scan as far as needed to verify the netstring */
+	size_t blen = strnlen(buff, (size_t)i + 2 + (size_t)x);
 	/* Bounds check: the buffer must contain i+1+x+1 chars (digits, ':', data, ',') */
 	if ((size_t)i + 1 + (size_t)x >= blen) {
 		return NULL;