From: Theo Buehler Subject: Re: missing length check in got_path_is_child() To: gameoftrees@openbsd.org Date: Wed, 11 May 2022 16:22:31 +0200 On Wed, May 11, 2022 at 04:05:33PM +0200, Stefan Sperling wrote: > If the child path is a NUL-terminated C string shorter than the parent > path, and the child path matches the parent path up the child's end, > then we end up with an out-of-bounds read. In this situation the child's terminating NUL is smaller than the corresponding non-zero byte of the parent, so strncmp() will return > 0 without going further. That's one reason why the manual says "The strncmp() function compares at most len characters." The C standard also explicitly says "characters that follow a null character are not compared", so I think we can rely on that and there is no out-of-bounds read.