git: f6ad204da856 - stable/14 - libkern: Avoid a one-byte OOB access in strndup()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 15 Dec 2025 14:14:05 UTC
The branch stable/14 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=f6ad204da856e722b4995f929a09c96ccc38d537
commit f6ad204da856e722b4995f929a09c96ccc38d537
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-12-08 14:08:22 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2025-12-15 14:12:39 +0000
libkern: Avoid a one-byte OOB access in strndup()
If the length of the string is maxlen, we would end up copying maxlen+1
bytes, which violates the contract of the function. The result is the
same since that extra byte is overwritten.
Reported by: Kevin Day <kevin@your.org>
Reviewed by: imp, kib
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D54093
(cherry picked from commit 73586fcea630c2c4fb83e966920c039aee8a5fc9)
---
sys/libkern/strndup.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/sys/libkern/strndup.c b/sys/libkern/strndup.c
index 9065153d7232..eb4bd88fa42b 100644
--- a/sys/libkern/strndup.c
+++ b/sys/libkern/strndup.c
@@ -41,9 +41,9 @@ strndup(const char *string, size_t maxlen, struct malloc_type *type)
size_t len;
char *copy;
- len = strnlen(string, maxlen) + 1;
- copy = malloc(len, type, M_WAITOK);
+ len = strnlen(string, maxlen);
+ copy = malloc(len + 1, type, M_WAITOK);
memcpy(copy, string, len);
- copy[len - 1] = '\0';
+ copy[len] = '\0';
return (copy);
}