qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] fsdev: Fix overrun after readlink() fills buffe

From: Aneesh Kumar K.V
Subject: Re: [Qemu-devel] [PATCH] fsdev: Fix overrun after readlink() fills buffer completely
Date: Wed, 26 Feb 2014 12:25:32 +0530
User-agent: Notmuch/0.17+7~gc734dd75344e (http://notmuchmail.org) Emacs/24.3.1 (x86_64-pc-linux-gnu) 
Markus Armbruster <address@hidden> writes:

> readlink() returns the number of bytes written to the buffer, and it
> doesn't write a terminating null byte.  do_readlink() writes it
> itself.  Overruns the buffer when readlink() filled it completely.
>
> Fix by reserving space for the null byte when calling readlink(), like
> we do elsewhere.
>
> Signed-off-by: Markus Armbruster <address@hidden>


applied.

> ---
>  fsdev/virtfs-proxy-helper.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
> index 713a7b2..bfecb87 100644
> --- a/fsdev/virtfs-proxy-helper.c
> +++ b/fsdev/virtfs-proxy-helper.c
> @@ -595,7 +595,7 @@ static int do_readlink(struct iovec *iovec, struct iovec 
> *out_iovec)
>      }
>      buffer = g_malloc(size);
>      v9fs_string_init(&target);
> -    retval = readlink(path.data, buffer, size);
> +    retval = readlink(path.data, buffer, size - 1);
>      if (retval > 0) {
>          buffer[retval] = '\0';
>          v9fs_string_sprintf(&target, "%s", buffer);
> -- 
> 1.8.1.4
reply via email to
[Prev in Thread] Current Thread [Next in Thread]