From: Alexander Bainbridge-Sedivy <alex.bainbridge@inkbridge.io>
Date: Mon, 11 May 2026 18:48:30 +0000 (-0400)
Subject: rlm_ftp.c: OOB NUL write when total is exact multiple of FTP_BODY_ALLOC_CHUNK
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=e5d2a349a6f25a45650e76c4e2ab72f0cc64a9ce;p=thirdparty%2Ffreeradius-server.git

rlm_ftp.c: OOB NUL write when total is exact multiple of FTP_BODY_ALLOC_CHUNK
---

diff --git a/src/modules/rlm_ftp/rlm_ftp.c b/src/modules/rlm_ftp/rlm_ftp.c
index 2e24e6bf6dc..c7ccc26d10b 100644
--- a/src/modules/rlm_ftp/rlm_ftp.c
+++ b/src/modules/rlm_ftp/rlm_ftp.c
@@ -240,7 +240,7 @@ static size_t ftp_response_body(void *in, size_t size, size_t nmemb, void *userd
 	/*
 	 *	Ensure that there's enough room in the buffer for all of the data that we need to write.
 	 */
-	needed = ROUND_UP(total, FTP_BODY_ALLOC_CHUNK);
+	needed = ROUND_UP(total + 1, FTP_BODY_ALLOC_CHUNK);
 	if (needed > ctx->alloc) {
 		MEM(ctx->buffer = talloc_bstr_realloc(NULL, ctx->buffer, needed));
 		ctx->alloc = needed;