libkern: Avoid a one-byte OOB access in strndup()
ClosedPublic
Actions

Authored by markj on Dec 5 2025, 9:39 PM.

Details

Reviewers

kib
imp

Commits

rG6162c06963ab: libkern: Avoid a one-byte OOB access in strndup()
rGf6ad204da856: libkern: Avoid a one-byte OOB access in strndup()
rG73586fcea630: libkern: Avoid a one-byte OOB access in strndup()

Summary

If the length of the string is maxlen, we would end up copying maxlen+1
bytes, which violates the contract of the function. The result is the
same since that extra byte is overwritten.

Reported by: Kevin Day <kevin@your.org>

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

markj created this revision.Dec 5 2025, 9:39 PM

Herald added a subscriber: imp. · View Herald TranscriptDec 5 2025, 9:39 PM

markj requested review of this revision.Dec 5 2025, 9:39 PM

Harbormaster completed remote builds in B69081: Diff 167608.Dec 5 2025, 9:39 PM

imp accepted this revision.Dec 5 2025, 9:41 PM

This revision is now accepted and ready to land.Dec 5 2025, 9:41 PM

kib added inline comments.Dec 5 2025, 9:55 PM

sys/libkern/strndup.c
43–44	It would be cleaner to stop adding 1 to len. There is only one use of 'strnlen + 1' value, in malloc. There, you can add 1 explicitly. Then the code becomes similar (if not identical) to the libc version.