From 44aa151e1b4f07e3f230e017e20ecd4e25595f04 Mon Sep 17 00:00:00 2001
From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
Date: Sat, 2 May 2015 08:31:16 +0000
Subject: [PATCH] Fix an off-by-one bug in string/array handling which lead to
 memory overwrite and follow-up assertion errors on at least ARM after
 r282257, with nvp_magic being 0x6e7600: Assertion failed: ((nvp)->nvp_magic
 == 0x6e7670), function nvpair_name, file .../subr_nvpair.c, line 713.

Sponsored by:	DARPA/AFRL
---
 sys/kern/subr_nvpair.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/kern/subr_nvpair.c b/sys/kern/subr_nvpair.c
index b0fc322190f3..153dcda76c56 100644
--- a/sys/kern/subr_nvpair.c
+++ b/sys/kern/subr_nvpair.c
@@ -733,7 +733,7 @@ nvpair_allocv(const char *name, int type, uint64_t data, size_t datasize)
 	if (nvp != NULL) {
 		nvp->nvp_name = (char *)(nvp + 1);
 		memcpy(nvp->nvp_name, name, namelen);
-		nvp->nvp_name[namelen + 1] = '\0';
+		nvp->nvp_name[namelen] = '\0';
 		nvp->nvp_type = type;
 		nvp->nvp_data = data;
 		nvp->nvp_datasize = datasize;