Date: Mon, 15 Dec 2025 14:16:13 +0000 From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 6162c06963ab - stable/15 - libkern: Avoid a one-byte OOB access in strndup() Message-ID: <6940182d.35a0e.27377003@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch stable/15 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=6162c06963abe3b56e7c26112052f541b4246bf7 commit 6162c06963abe3b56e7c26112052f541b4246bf7 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2025-12-08 14:08:22 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2025-12-15 14:09:37 +0000 libkern: Avoid a one-byte OOB access in strndup() If the length of the string is maxlen, we would end up copying maxlen+1 bytes, which violates the contract of the function. The result is the same since that extra byte is overwritten. Reported by: Kevin Day <kevin@your.org> Reviewed by: imp, kib MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D54093 (cherry picked from commit 73586fcea630c2c4fb83e966920c039aee8a5fc9) --- sys/libkern/strndup.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sys/libkern/strndup.c b/sys/libkern/strndup.c index 75b33339e1c7..1fbcfd28cae4 100644 --- a/sys/libkern/strndup.c +++ b/sys/libkern/strndup.c @@ -40,9 +40,9 @@ strndup(const char *string, size_t maxlen, struct malloc_type *type) size_t len; char *copy; - len = strnlen(string, maxlen) + 1; - copy = malloc(len, type, M_WAITOK); + len = strnlen(string, maxlen); + copy = malloc(len + 1, type, M_WAITOK); memcpy(copy, string, len); - copy[len - 1] = '\0'; + copy[len] = '\0'; return (copy); }help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6940182d.35a0e.27377003>