Date: Mon, 22 Jun 2026 21:45:08 +0000 From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Cc: Jane Smith <thebugfixers@pm.me> Subject: git: 635ad6f2ec97 - main - librpcsec_gss: Fix an off-by-one in rpc_gss_get_principal_name() Message-ID: <6a39ace4.1fbcd.1e573503@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=635ad6f2ec97e9c6b1f15620cd5ee84eb632082f commit 635ad6f2ec97e9c6b1f15620cd5ee84eb632082f Author: Jane Smith <thebugfixers@pm.me> AuthorDate: 2026-06-22 21:40:53 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2026-06-22 21:44:44 +0000 librpcsec_gss: Fix an off-by-one in rpc_gss_get_principal_name() Include an extra byte for the nul-terminator, otherwise we may end up with an out-of-bounds write. The corresponding bug in the kernel implementation was fixed by commit e3081f7e3e2d ("kgssapi(4): Fix string overrun in Kerberos principal construction"). Reviewed by: markj MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D57738 --- lib/librpcsec_gss/svc_rpcsec_gss.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/librpcsec_gss/svc_rpcsec_gss.c b/lib/librpcsec_gss/svc_rpcsec_gss.c index 73b92371e6d0..a15542330697 100644 --- a/lib/librpcsec_gss/svc_rpcsec_gss.c +++ b/lib/librpcsec_gss/svc_rpcsec_gss.c @@ -247,7 +247,7 @@ rpc_gss_get_principal_name(rpc_gss_principal_t *principal, * Construct a gss_buffer containing the full name formatted * as "name/node@domain" where node and domain are optional. */ - namelen = strlen(name); + namelen = strlen(name) + 1; if (node) { namelen += strlen(node) + 1; }home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a39ace4.1fbcd.1e573503>
