The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=73586fcea630c2c4fb83e966920c039aee8a5fc9
commit 73586fcea630c2c4fb83e966920c039aee8a5fc9 Author: Mark Johnston <[email protected]> AuthorDate: 2025-12-08 14:08:22 +0000 Commit: Mark Johnston <[email protected]> CommitDate: 2025-12-08 14:08:22 +0000 libkern: Avoid a one-byte OOB access in strndup() If the length of the string is maxlen, we would end up copying maxlen+1 bytes, which violates the contract of the function. The result is the same since that extra byte is overwritten. Reported by: Kevin Day <[email protected]> Reviewed by: imp, kib MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D54093 --- sys/libkern/strndup.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sys/libkern/strndup.c b/sys/libkern/strndup.c index 75b33339e1c7..1fbcfd28cae4 100644 --- a/sys/libkern/strndup.c +++ b/sys/libkern/strndup.c @@ -40,9 +40,9 @@ strndup(const char *string, size_t maxlen, struct malloc_type *type) size_t len; char *copy; - len = strnlen(string, maxlen) + 1; - copy = malloc(len, type, M_WAITOK); + len = strnlen(string, maxlen); + copy = malloc(len + 1, type, M_WAITOK); memcpy(copy, string, len); - copy[len - 1] = '\0'; + copy[len] = '\0'; return (copy); }
