30/04/2026 19:01, Daniil Iskhakov:
> tmp_buf is populated by the completion callback and is not guaranteed
> to be NUL-terminated.
>
> The code already accounts for this when computing tmp_size with
> strnlen(tmp_buf, sizeof(tmp_buf)). However, another loop in the same
> path still walks tmp_buf until a NUL byte is found, without checking
> the buffer limit.
>
> If the callback writes a full-sized non-NUL-terminated string, the loop
> may read past the end of tmp_buf.
>
> Fix this by computing a bounded length for each completion choice before
> printing it.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: af75078fece3 ("first public release")
> Cc: [email protected]
>
> Signed-off-by: Daniil Iskhakov <[email protected]>
Applied, thanks.
