The branch stable/14 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=f6ad204da856e722b4995f929a09c96ccc38d537
commit f6ad204da856e722b4995f929a09c96ccc38d537 Author: Mark Johnston <[email protected]> AuthorDate: 2025-12-08 14:08:22 +0000 Commit: Mark Johnston <[email protected]> CommitDate: 2025-12-15 14:12:39 +0000 libkern: Avoid a one-byte OOB access in strndup() If the length of the string is maxlen, we would end up copying maxlen+1 bytes, which violates the contract of the function. The result is the same since that extra byte is overwritten. Reported by: Kevin Day <[email protected]> Reviewed by: imp, kib MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D54093 (cherry picked from commit 73586fcea630c2c4fb83e966920c039aee8a5fc9) --- sys/libkern/strndup.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sys/libkern/strndup.c b/sys/libkern/strndup.c index 9065153d7232..eb4bd88fa42b 100644 --- a/sys/libkern/strndup.c +++ b/sys/libkern/strndup.c @@ -41,9 +41,9 @@ strndup(const char *string, size_t maxlen, struct malloc_type *type) size_t len; char *copy; - len = strnlen(string, maxlen) + 1; - copy = malloc(len, type, M_WAITOK); + len = strnlen(string, maxlen); + copy = malloc(len + 1, type, M_WAITOK); memcpy(copy, string, len); - copy[len - 1] = '\0'; + copy[len] = '\0'; return (copy); }
