git: 635ad6f2ec97 - main - librpcsec_gss: Fix an off-by-one in rpc_gss_get_principal_name()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 22 Jun 2026 21:45:08 UTC
The branch main has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=635ad6f2ec97e9c6b1f15620cd5ee84eb632082f
commit 635ad6f2ec97e9c6b1f15620cd5ee84eb632082f
Author: Jane Smith <thebugfixers@pm.me>
AuthorDate: 2026-06-22 21:40:53 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-06-22 21:44:44 +0000
librpcsec_gss: Fix an off-by-one in rpc_gss_get_principal_name()
Include an extra byte for the nul-terminator, otherwise we may end up
with an out-of-bounds write.
The corresponding bug in the kernel implementation was fixed by commit
e3081f7e3e2d ("kgssapi(4): Fix string overrun in Kerberos principal construction").
Reviewed by: markj
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D57738
---
lib/librpcsec_gss/svc_rpcsec_gss.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/librpcsec_gss/svc_rpcsec_gss.c b/lib/librpcsec_gss/svc_rpcsec_gss.c
index 73b92371e6d0..a15542330697 100644
--- a/lib/librpcsec_gss/svc_rpcsec_gss.c
+++ b/lib/librpcsec_gss/svc_rpcsec_gss.c
@@ -247,7 +247,7 @@ rpc_gss_get_principal_name(rpc_gss_principal_t *principal,
* Construct a gss_buffer containing the full name formatted
* as "name/node@domain" where node and domain are optional.
*/
- namelen = strlen(name);
+ namelen = strlen(name) + 1;
if (node) {
namelen += strlen(node) + 1;
}