From de7a9d6f90c18579766a757ef6cdcf0752f23209 Mon Sep 17 00:00:00 2001
From: Alejandro Colomar <alx@kernel.org>
Date: Sun, 1 Mar 2026 14:23:23 +0100
Subject: [PATCH] src/useradd.c: create_home(): Fix benign off-by-one bug

'path' will only copy contents from 'bhome', which itself is a dup of
'prefix_user_home'.  Thus it only needs to be able to hold the contents
of that string (thus, strlen(3) + 1 for the NUL).

We don't add any characters that were not present in the original
string (but we do collapse adjacent slashes), and thus the 'path' string
may be shorter or as long as 'bhome', but certainly not longer.

This seems to have been an off-by-one calculation, as this code has
never needed space for an extra byte, AFAICS.

Fixes: b3b6d9d7 (2018-05-15; "Create parent dirs for useradd -m")
Link: <https://github.com/shadow-maint/shadow/pull/112>
Link: <https://github.com/shadow-maint/shadow/pull/2>
Cc: Michael Vetter <jubalh@iodoru.org>
Cc: Thorsten Behrens <thb@documentfoundation.org>
Cc: Thorsten Kukuk <kukuk@suse.com>
Cc: Serge Hallyn <serge@hallyn.com>
Cc: Eric Seifert <seiferteric@gmail.com>
Cc: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
---
 src/useradd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/useradd.c b/src/useradd.c
index 6570cee830..c9901b0378 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -2212,7 +2212,7 @@ usr_update (unsigned long subuid_count, unsigned long subgid_count,
  */
 static void create_home(const struct option_flags *flags)
 {
-	char    path[strlen(prefix_user_home) + 2];
+	char    path[strlen(prefix_user_home) + 1];
 	char    *bhome, *cp;
 	mode_t  mode;
 	bool    process_selinux;