From: Stefan Sperling Subject: Re: missing length check in got_path_is_child() To: Theo Buehler Cc: gameoftrees@openbsd.org Date: Wed, 11 May 2022 21:00:36 +0200 On Wed, May 11, 2022 at 04:22:31PM +0200, Theo Buehler wrote: > On Wed, May 11, 2022 at 04:05:33PM +0200, Stefan Sperling wrote: > > If the child path is a NUL-terminated C string shorter than the parent > > path, and the child path matches the parent path up the child's end, > > then we end up with an out-of-bounds read. > > In this situation the child's terminating NUL is smaller than the > corresponding non-zero byte of the parent, so strncmp() will return > 0 > without going further. That's one reason why the manual says "The > strncmp() function compares at most len characters." > > The C standard also explicitly says "characters that follow a null > character are not compared", so I think we can rely on that and there is > no out-of-bounds read. Ah, yes, that makes sense. Thank you! I somehow believed it would stop comparing as soon as a NUL byte is encountered on either side. Closing as "not-a-bug" then, the best kind of bug :)