hfsplus_uni2asc_xattr_str() returns the converted byte count but does not
append a trailing NUL. hfsplus_listxattr() then passes the reusable
conversion buffer to string helpers such as can_list(), name_len(), and
copy_name().

If a shorter converted xattr name follows a longer one, stale bytes after
the new byte count can make strscpy() fail with -E2BIG. The caller adds
copy_name()'s return value to the running output offset, so a negative
return can move the next write before the listxattr buffer.

Explicitly terminate the converted name at the returned byte count before
treating it as a C string.

Fixes: 127e5f5ae51ef ("hfsplus: rework functionality of getting, setting and deleting of extended attributes")
Cc: stable@vger.kernel.org
Assisted-by: Codex:gpt-5.5
Signed-off-by: Kyle Zeng <kylebot@openai.com>
---
 fs/hfsplus/xattr.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/hfsplus/xattr.c b/fs/hfsplus/xattr.c
index 452a1f9becb2..35fcbc397b62 100644
--- a/fs/hfsplus/xattr.c
+++ b/fs/hfsplus/xattr.c
@@ -870,6 +870,7 @@ ssize_t hfsplus_listxattr(struct dentry *dentry, char *buffer, size_t size)
 			res = -EIO;
 			goto end_listxattr;
 		}
+		strbuf[xattr_name_len] = '\0';
 
 		if (!buffer || !size) {
 			if (can_list(strbuf))
-- 
2.54.0