From 00a4a970d5cb0b5e2bbc8fc4aeb3d8f7c0d12e73 Mon Sep 17 00:00:00 2001
From: Pavel Punsky <eakraly@users.noreply.github.com>
Date: Sun, 8 Feb 2026 12:31:52 -0800
Subject: [PATCH] Fix missing null termination after strncpy in PostgreSQL
 driver (dbd_pgsql.c)

Vulnerability: strncpy(realm/pwd, ...) did not null-terminate when
value length >= STUN_MAX_*_SIZE, causing unterminated strings.

Fix: Set realm[STUN_MAX_REALM_SIZE] and pwd[STUN_MAX_PWD_SIZE]
to '\0' after each strncpy.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 src/apps/relay/dbdrivers/dbd_pgsql.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/apps/relay/dbdrivers/dbd_pgsql.c b/src/apps/relay/dbdrivers/dbd_pgsql.c
index f863c83d..c81b5118 100644
--- a/src/apps/relay/dbdrivers/dbd_pgsql.c
+++ b/src/apps/relay/dbdrivers/dbd_pgsql.c
@@ -883,10 +883,12 @@ static int pgsql_get_admin_user(const uint8_t *usname, uint8_t *realm, password_
       const char *kval = PQgetvalue(res, 0, 0);
       if (kval) {
         strncpy((char *)realm, kval, STUN_MAX_REALM_SIZE);
+        realm[STUN_MAX_REALM_SIZE] = '\0';
       }
       kval = (const char *)PQgetvalue(res, 0, 1);
       if (kval) {
         strncpy((char *)pwd, kval, STUN_MAX_PWD_SIZE);
+        pwd[STUN_MAX_PWD_SIZE] = '\0';
       }
       ret = 0;
     }