xfrm: NUL terminate the ctx_str buffer in xfrmnl_sa_set_sec_ctx()

and xfrmnl_sp_set_sec_ctx(). The user already must pass a NUL
terminated string, where the NUL is included in ctx_len.

Just allocate one more by and ensure the buffer is '\0' terminated.

2 files changed, 4 insertions, 2 deletions

diff --git a/lib/xfrm/sa.c b/lib/xfrm/sa.c
index 00460da..995df9f 100644
--- a/lib/xfrm/sa.c
+++ b/lib/xfrm/sa.c
@@ -2021,7 +2021,7 @@ int xfrmnl_sa_set_sec_ctx (struct xfrmnl_sa* sa, unsigned int doi, unsigned int
 	/* Free up the old context string and allocate new one */
 	if (sa->sec_ctx)
 		free (sa->sec_ctx);
-	if ((sa->sec_ctx = calloc(1, sizeof (struct xfrmnl_user_sec_ctx) + len)) == NULL)
+	if ((sa->sec_ctx = calloc(1, sizeof (struct xfrmnl_user_sec_ctx) + 1 + len)) == NULL)
 		return -1;
 
 	/* Save the new info */
@@ -2031,6 +2031,7 @@ int xfrmnl_sa_set_sec_ctx (struct xfrmnl_sa* sa, unsigned int doi, unsigned int
 	sa->sec_ctx->ctx_doi    =   doi;
 	sa->sec_ctx->ctx_len    =   len;
 	memcpy (sa->sec_ctx->ctx, ctx_str, len);
+	sa->sec_ctx->ctx[len] = '\0';
 
 	sa->ce_mask |= XFRM_SA_ATTR_SECCTX;
 
diff --git a/lib/xfrm/sp.c b/lib/xfrm/sp.c
index 0f2ebc1..727ae5c 100644
--- a/lib/xfrm/sp.c
+++ b/lib/xfrm/sp.c
@@ -1260,7 +1260,7 @@ int xfrmnl_sp_set_sec_ctx (struct xfrmnl_sp* sp, unsigned int len __attribute__(
 	/* Free up the old context string and allocate new one */
 	if (sp->sec_ctx)
 		free (sp->sec_ctx);
-	if ((sp->sec_ctx = calloc (1, sizeof (struct xfrmnl_user_sec_ctx) + ctx_len)) == NULL)
+	if ((sp->sec_ctx = calloc (1, sizeof (struct xfrmnl_user_sec_ctx) + 1 + ctx_len)) == NULL)
 		return -1;
 
 	/* Save the new info */
@@ -1270,6 +1270,7 @@ int xfrmnl_sp_set_sec_ctx (struct xfrmnl_sp* sp, unsigned int len __attribute__(
 	sp->sec_ctx->ctx_doi    =   doi;
 	sp->sec_ctx->ctx_len    =   ctx_len;
 	memcpy ((void *)sp->sec_ctx->ctx, (void *)ctx_str, ctx_len);
+	sp->sec_ctx->ctx[ctx_len] = '\0';
 
 	sp->ce_mask |= XFRM_SP_ATTR_SECCTX;