Date: Mon, 15 Dec 2025 14:14:05 +0000 From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: f6ad204da856 - stable/14 - libkern: Avoid a one-byte OOB access in strndup() Message-ID: <694017ad.35172.319c6355@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch stable/14 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=f6ad204da856e722b4995f929a09c96ccc38d537 commit f6ad204da856e722b4995f929a09c96ccc38d537 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2025-12-08 14:08:22 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2025-12-15 14:12:39 +0000 libkern: Avoid a one-byte OOB access in strndup() If the length of the string is maxlen, we would end up copying maxlen+1 bytes, which violates the contract of the function. The result is the same since that extra byte is overwritten. Reported by: Kevin Day <kevin@your.org> Reviewed by: imp, kib MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D54093 (cherry picked from commit 73586fcea630c2c4fb83e966920c039aee8a5fc9) --- sys/libkern/strndup.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sys/libkern/strndup.c b/sys/libkern/strndup.c index 9065153d7232..eb4bd88fa42b 100644 --- a/sys/libkern/strndup.c +++ b/sys/libkern/strndup.c @@ -41,9 +41,9 @@ strndup(const char *string, size_t maxlen, struct malloc_type *type) size_t len; char *copy; - len = strnlen(string, maxlen) + 1; - copy = malloc(len, type, M_WAITOK); + len = strnlen(string, maxlen); + copy = malloc(len + 1, type, M_WAITOK); memcpy(copy, string, len); - copy[len - 1] = '\0'; + copy[len] = '\0'; return (copy); }help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?694017ad.35172.319c6355>