Page MenuHomeFreeBSD

libkern: Avoid a one-byte OOB access in strndup()
ClosedPublic

Authored by markj on Dec 5 2025, 9:39 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Jul 2, 7:20 PM
Unknown Object (File)
Sat, Jun 27, 3:33 PM
Unknown Object (File)
Fri, Jun 26, 2:11 AM
Unknown Object (File)
Thu, Jun 25, 9:33 AM
Unknown Object (File)
Wed, Jun 24, 11:33 PM
Unknown Object (File)
Wed, Jun 24, 4:02 AM
Unknown Object (File)
Sun, Jun 14, 10:39 AM
Unknown Object (File)
May 21 2026, 10:54 AM
Subscribers

Details

Summary

If the length of the string is maxlen, we would end up copying maxlen+1
bytes, which violates the contract of the function. The result is the
same since that extra byte is overwritten.

Reported by: Kevin Day <kevin@your.org>

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

markj requested review of this revision.Dec 5 2025, 9:39 PM
This revision is now accepted and ready to land.Dec 5 2025, 9:41 PM
sys/libkern/strndup.c
43–44

It would be cleaner to stop adding 1 to len. There is only one use of 'strnlen + 1' value, in malloc. There, you can add 1 explicitly.

Then the code becomes similar (if not identical) to the libc version.

markj marked an inline comment as done.

Take kib's suggestion

This revision now requires review to proceed.Dec 5 2025, 10:06 PM
This revision is now accepted and ready to land.Dec 5 2025, 10:29 PM