rlm_ftp.c: OOB NUL write when total is exact multiple of FTP_BODY_ALLOC_CHUNK

author Alexander Bainbridge-Sedivy <alex.bainbridge@inkbridge.io>

Mon, 11 May 2026 18:48:30 +0000 (14:48 -0400)

committer Alan T. DeKok <aland@freeradius.org>

Wed, 27 May 2026 18:28:32 +0000 (14:28 -0400)
author Alexander Bainbridge-Sedivy <alex.bainbridge@inkbridge.io>
Mon, 11 May 2026 18:48:30 +0000 (14:48 -0400)
committer Alan T. DeKok <aland@freeradius.org>
Wed, 27 May 2026 18:28:32 +0000 (14:28 -0400)
diff --git a/src/modules/rlm_ftp/rlm_ftp.c b/src/modules/rlm_ftp/rlm_ftp.c

index 2e24e6bf6dc77a1a85a92a05e18b764817242f03..c7ccc26d10b29d7a98a8dec5c7d5520fe3462231 100644 (file)
--- a/src/modules/rlm_ftp/rlm_ftp.c
+++ b/src/modules/rlm_ftp/rlm_ftp.c
@@ -240,7 +240,7 @@ static size_t ftp_response_body(void *in, size_t size, size_t nmemb, void *userd
         /*
          *      Ensure that there's enough room in the buffer for all of the data that we need to write.
          */
-       needed = ROUND_UP(total, FTP_BODY_ALLOC_CHUNK);
+       needed = ROUND_UP(total + 1, FTP_BODY_ALLOC_CHUNK);
         if (needed > ctx->alloc) {
                 MEM(ctx->buffer = talloc_bstr_realloc(NULL, ctx->buffer, needed));
                 ctx->alloc = needed;
author	Alexander Bainbridge-Sedivy <alex.bainbridge@inkbridge.io>
	Mon, 11 May 2026 18:48:30 +0000 (14:48 -0400)
committer	Alan T. DeKok <aland@freeradius.org>
	Wed, 27 May 2026 18:28:32 +0000 (14:28 -0400)