From de02167584606d02872e8f0918c882709bec6a80 Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Wed, 21 Feb 2024 16:10:43 +0100 Subject: [PATCH] BUG/MINOR: ist: allocate nul byte on istdup istdup() is documented as having the same behavior as strdup(). However, it may cause confusion as it allocates a block of input length, without an extra byte for \0 delimiter. This behavior is incoherent as in case of an empty string however a single \0 is allocated. This API inconsistency could cause a bug anywhere an IST is used as a C-string after istdup() invocation. Currently, the only found issue is with 'wait' CLI command using 'srv-unused'. This causes a buffer overflow due to ist0() invocation after istdup() for be_name and sv_name. Backport should be done to all stable releases. Even if no bug has been found outside of wait CLI implementation, it ensures the code is more consistent on every releases. --- include/import/ist.h | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/include/import/ist.h b/include/import/ist.h index 16b86164e..aff799dcb 100644 --- a/include/import/ist.h +++ b/include/import/ist.h @@ -939,16 +939,13 @@ static inline void istfree(struct ist *ist) */ static inline struct ist istdup(const struct ist src) { - const size_t src_size = src.len; - - /* Allocate at least 1 byte to allow duplicating an empty string with - * malloc implementations that return NULL for a 0-size allocation. - */ - struct ist dst = istalloc(src_size ? src_size : 1); + /* Allocate 1 extra byte to add an extra \0 delimiter. */ + struct ist dst = istalloc(src.len + 1); if (isttest(dst)) { - istcpy(&dst, src, src_size); + istcpy(&dst, src, src.len); } + dst.ptr[dst.len] = '\0'; return dst; }