The buffer size is calculated without room for the terminating null byte:
namelen = strlen(name); /* missing +1 */ if (node) namelen += strlen(node) + 1; /* +1 for '/' */ if (domain) namelen += strlen(domain) + 1; /* +1 for '@' */ buf.value = mem_alloc(namelen); /* exact size, no NUL */ strcpy((char *)buf.value, name); /* writes strlen+1 bytes */
Even when node and domain are provided, the calculation only accounts for separators (/ and @), not for the final \0. Every call therefore writes one byte past the allocation.
Impact: Heap metadata corruption leading to crashes or exploitable memory corruption.
Fix: Change the first line to namelen = strlen(name) + 1; (as the kernel version correctly does).