Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 22 Jun 2026 21:45:08 +0000
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Cc:        Jane Smith <thebugfixers@pm.me>
Subject:   git: 635ad6f2ec97 - main - librpcsec_gss: Fix an off-by-one in rpc_gss_get_principal_name()
Message-ID:  <6a39ace4.1fbcd.1e573503@gitrepo.freebsd.org>

index | next in thread | raw e-mail

The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=635ad6f2ec97e9c6b1f15620cd5ee84eb632082f

commit 635ad6f2ec97e9c6b1f15620cd5ee84eb632082f
Author:     Jane Smith <thebugfixers@pm.me>
AuthorDate: 2026-06-22 21:40:53 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-06-22 21:44:44 +0000

    librpcsec_gss: Fix an off-by-one in rpc_gss_get_principal_name()
    
    Include an extra byte for the nul-terminator, otherwise we may end up
    with an out-of-bounds write.
    
    The corresponding bug in the kernel implementation was fixed by commit
    e3081f7e3e2d ("kgssapi(4): Fix string overrun in Kerberos principal construction").
    
    Reviewed by:    markj
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D57738
---
 lib/librpcsec_gss/svc_rpcsec_gss.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/librpcsec_gss/svc_rpcsec_gss.c b/lib/librpcsec_gss/svc_rpcsec_gss.c
index 73b92371e6d0..a15542330697 100644
--- a/lib/librpcsec_gss/svc_rpcsec_gss.c
+++ b/lib/librpcsec_gss/svc_rpcsec_gss.c
@@ -247,7 +247,7 @@ rpc_gss_get_principal_name(rpc_gss_principal_t *principal,
 	 * Construct a gss_buffer containing the full name formatted
 	 * as "name/node@domain" where node and domain are optional.
 	 */
-	namelen = strlen(name);
+	namelen = strlen(name) + 1;
 	if (node) {
 		namelen += strlen(node) + 1;
 	}


home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a39ace4.1fbcd.1e573503>