BUG/MINOR: ist: allocate nul byte on istdup

istdup() is documented as having the same behavior as strdup(). However,
it may cause confusion as it allocates a block of input length, without
an extra byte for \0 delimiter. This behavior is incoherent as in case
of an empty string however a single \0 is allocated.

This API inconsistency could cause a bug anywhere an IST is used as a
C-string after istdup() invocation. Currently, the only found issue is
with 'wait' CLI command using 'srv-unused'. This causes a buffer
overflow due to ist0() invocation after istdup() for be_name and
sv_name.

Backport should be done to all stable releases. Even if no bug has been
found outside of wait CLI implementation, it ensures the code is more
consistent on every releases.

diff --git a/include/import/ist.h b/include/import/ist.h
index 16b86164ea38697a92c017587d449092a092ea59..aff799dcb4227adc144a4c925c8f779aea77a6c3 100644 (file)
--- a/include/import/ist.h
+++ b/include/import/ist.h
@@ -939,16 +939,13 @@ static inline void istfree(struct ist *ist)
  */
 static inline struct ist istdup(const struct ist src)
 {
-       const size_t src_size = src.len;
-
-       /* Allocate at least 1 byte to allow duplicating an empty string with
-        * malloc implementations that return NULL for a 0-size allocation.
-        */
-       struct ist dst = istalloc(src_size ? src_size : 1);
+       /* Allocate 1 extra byte to add an extra \0 delimiter. */
+       struct ist dst = istalloc(src.len + 1);
 
        if (isttest(dst)) {
-               istcpy(&dst, src, src_size);
+               istcpy(&dst, src, src.len);
        }
+       dst.ptr[dst.len] = '\0';
 
        return dst;
 }