git: 73586fcea630 - main - libkern: Avoid a one-byte OOB access in strndup()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 08 Dec 2025 14:12:02 UTC
The branch main has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=73586fcea630c2c4fb83e966920c039aee8a5fc9
commit 73586fcea630c2c4fb83e966920c039aee8a5fc9
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-12-08 14:08:22 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2025-12-08 14:08:22 +0000
libkern: Avoid a one-byte OOB access in strndup()
If the length of the string is maxlen, we would end up copying maxlen+1
bytes, which violates the contract of the function. The result is the
same since that extra byte is overwritten.
Reported by: Kevin Day <kevin@your.org>
Reviewed by: imp, kib
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D54093
---
sys/libkern/strndup.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/sys/libkern/strndup.c b/sys/libkern/strndup.c
index 75b33339e1c7..1fbcfd28cae4 100644
--- a/sys/libkern/strndup.c
+++ b/sys/libkern/strndup.c
@@ -40,9 +40,9 @@ strndup(const char *string, size_t maxlen, struct malloc_type *type)
size_t len;
char *copy;
- len = strnlen(string, maxlen) + 1;
- copy = malloc(len, type, M_WAITOK);
+ len = strnlen(string, maxlen);
+ copy = malloc(len + 1, type, M_WAITOK);
memcpy(copy, string, len);
- copy[len - 1] = '\0';
+ copy[len] = '\0';
return (copy);
}