Date: Mon, 08 Dec 2025 14:12:02 +0000 From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 73586fcea630 - main - libkern: Avoid a one-byte OOB access in strndup() Message-ID: <6936dcb2.2fea8.5fcd778@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=73586fcea630c2c4fb83e966920c039aee8a5fc9 commit 73586fcea630c2c4fb83e966920c039aee8a5fc9 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2025-12-08 14:08:22 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2025-12-08 14:08:22 +0000 libkern: Avoid a one-byte OOB access in strndup() If the length of the string is maxlen, we would end up copying maxlen+1 bytes, which violates the contract of the function. The result is the same since that extra byte is overwritten. Reported by: Kevin Day <kevin@your.org> Reviewed by: imp, kib MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D54093 --- sys/libkern/strndup.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sys/libkern/strndup.c b/sys/libkern/strndup.c index 75b33339e1c7..1fbcfd28cae4 100644 --- a/sys/libkern/strndup.c +++ b/sys/libkern/strndup.c @@ -40,9 +40,9 @@ strndup(const char *string, size_t maxlen, struct malloc_type *type) size_t len; char *copy; - len = strnlen(string, maxlen) + 1; - copy = malloc(len, type, M_WAITOK); + len = strnlen(string, maxlen); + copy = malloc(len + 1, type, M_WAITOK); memcpy(copy, string, len); - copy[len - 1] = '\0'; + copy[len] = '\0'; return (copy); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6936dcb2.2fea8.5fcd778>