diff options
| author | Mark Johnston <markj@FreeBSD.org> | 2025-12-08 14:08:22 +0000 |
|---|---|---|
| committer | Mark Johnston <markj@FreeBSD.org> | 2025-12-08 14:08:22 +0000 |
| commit | 73586fcea630c2c4fb83e966920c039aee8a5fc9 (patch) | |
| tree | 017e50e1144d40bdcaf32eb279aba7f2b1fc2014 | |
| parent | 792221630bf4e58fcd923547bab689f4497613d8 (diff) | |
libkern: Avoid a one-byte OOB access in strndup()
If the length of the string is maxlen, we would end up copying maxlen+1
bytes, which violates the contract of the function. The result is the
same since that extra byte is overwritten.
Reported by: Kevin Day <kevin@your.org>
Reviewed by: imp, kib
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D54093
| -rw-r--r-- | sys/libkern/strndup.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/sys/libkern/strndup.c b/sys/libkern/strndup.c index 75b33339e1c7..1fbcfd28cae4 100644 --- a/sys/libkern/strndup.c +++ b/sys/libkern/strndup.c @@ -40,9 +40,9 @@ strndup(const char *string, size_t maxlen, struct malloc_type *type) size_t len; char *copy; - len = strnlen(string, maxlen) + 1; - copy = malloc(len, type, M_WAITOK); + len = strnlen(string, maxlen); + copy = malloc(len + 1, type, M_WAITOK); memcpy(copy, string, len); - copy[len - 1] = '\0'; + copy[len] = '\0'; return (copy); } |